Debian Bug report logs -
#375782
squirrelmail: CVE-2006-3174: cross-site scripting in search.php when register_globals is on
Reported by: Alec Berryman <alec@thened.net>
Date: Wed, 28 Jun 2006 01:48:10 UTC
Severity: important
Tags: security, unreproducible, upstream
Fixed in version squirrelmail/2:1.4.7-1
Done: Thijs Kinkhorst <thijs@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#375782; Package squirrelmail.
(full text, mbox, link).
Acknowledgement sent to Alec Berryman <alec@thened.net>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: squirrelmail
Severity: important
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2006-3174: "Cross-site scripting (XSS) vulnerability in search.php
in SquirrelMail 1.5.1 and earlier, when register_globals is enabled,
allows remote attackers to inject arbitrary HTML via the mailbox
parameter."
The description from the information linked in the CVE:
"SquirrelMail contains a flaw that allows a remote Cross-Site Scripting
attacks.Input passed to the "mailbox" parameter in "search.php" isn't
properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's browser
session in context of an affected site."
There does not appear to be a patch available. However, the CVE notes
this is only a vulnerability when register_globals is on, which is not
the default configuration in Debian. I have not confirmed this
vulnerability myself.
Please include the CVE in the changelog.
Thanks,
Alec
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEodt2Aud/2YgchcQRAikLAKDcYBvJyaL6DOxjE7s08Jpf+okwEACg42TF
HHJ13PqZW6PBsw2JApsjJU0=
=gb/b
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#375782; Package squirrelmail.
(full text, mbox, link).
Acknowledgement sent to Thijs Kinkhorst <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>.
(full text, mbox, link).
Message #10 received at 375782@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hello Alec,
> CVE-2006-3174: "Cross-site scripting (XSS) vulnerability in search.php
> in SquirrelMail 1.5.1 and earlier, when register_globals is enabled,
> allows remote attackers to inject arbitrary HTML via the mailbox
> parameter."
Thank you for your report. Interestingly enough, there has been no
contact with the SquirrelMail team about this CVE assignment or this
vulnerability and I'm therefore also a bit puzzled as to where it
originates.
I'll check it out and see whether something needs to be fixed.
> this is only a vulnerability when register_globals is on, which is not
> the default configuration in Debian.
A setup with register_globals set to On when it's not needed is
knowingly insecure.
Thijs
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#375782; Package squirrelmail.
(full text, mbox, link).
Acknowledgement sent to Thijs Kinkhorst <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>.
(full text, mbox, link).
Message #15 received at 375782@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 375782 unreproducible upstream
thanks
Hello Alec,
On Tue, 2006-06-27 at 21:29 -0400, Alec Berryman wrote:
> CVE-2006-3174: "Cross-site scripting (XSS) vulnerability in search.php
> in SquirrelMail 1.5.1 and earlier, when register_globals is enabled,
> allows remote attackers to inject arbitrary HTML via the mailbox
> parameter."
I've taken a look, and can't reproduce the issue at all. I'm also not
sure how it should work and how it relates to the register_globals that
was mentioned. The report excells in vagueness.
I've forwarded the issue upstream for some others to look at, maybe
someone else can figure out how to reproduce it or whether it's bogus.
thanks,
Thijs
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#375782; Package squirrelmail.
(full text, mbox, link).
Acknowledgement sent to Alec Berryman <alec@thened.net>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>.
(full text, mbox, link).
Message #20 received at 375782@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Thijs Kinkhorst on 2006-06-29 16:27:37 +0200:
> I've taken a look, and can't reproduce the issue at all. I'm also not
> sure how it should work and how it relates to the register_globals
> that was mentioned. The report excells in vagueness.
I agree completely.
> I've forwarded the issue upstream for some others to look at, maybe
> someone else can figure out how to reproduce it or whether it's bogus.
Thanks.
[signature.asc (application/pgp-signature, inline)]
Tags added: unreproducible, upstream
Request was from Thijs Kinkhorst <kink@squirrelmail.org>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: pending
Request was from www-data <www-data@wolffelaar.nl>
to control@bugs.debian.org.
(full text, mbox, link).
Message sent on to Alec Berryman <alec@thened.net>:
Bug#375782.
(full text, mbox, link).
Message #27 received at 375782-submitter@bugs.debian.org (full text, mbox, reply):
# Fixed in r250 by kink
tag 373731 + pending
tag 375782 + pending
tag 376605 + pending
thanks
These bugs are fixed in revision 250 by kink
and will likely get fixed in the next upload.
Log message:
* New upstream bugfix release.
+ Addresses some low-impact, theoretical or disputed security bugs,
for which the code is tightened just-in-case:
- Possible local file inclusion (Closes: #373731, CVE-2006-2842)
- XSS in search.php (Closes: #375782, CVE-2006-3174)
+ Adds note to db-backend.txt about postgreSQL (Closes: #376605).
* Update maintainer address.
Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Alec Berryman <alec@thened.net>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #32 received at 375782-close@bugs.debian.org (full text, mbox, reply):
Source: squirrelmail
Source-Version: 2:1.4.7-1
We believe that the bug you reported is fixed in the latest version of
squirrelmail, which is due to be installed in the Debian FTP archive:
squirrelmail_1.4.7-1.diff.gz
to pool/main/s/squirrelmail/squirrelmail_1.4.7-1.diff.gz
squirrelmail_1.4.7-1.dsc
to pool/main/s/squirrelmail/squirrelmail_1.4.7-1.dsc
squirrelmail_1.4.7-1_all.deb
to pool/main/s/squirrelmail/squirrelmail_1.4.7-1_all.deb
squirrelmail_1.4.7.orig.tar.gz
to pool/main/s/squirrelmail/squirrelmail_1.4.7.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 375782@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated squirrelmail package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 4 Jul 2006 14:49:23 +0200
Source: squirrelmail
Binary: squirrelmail
Architecture: source all
Version: 2:1.4.7-1
Distribution: unstable
Urgency: low
Maintainer: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
squirrelmail - Webmail for nuts
Closes: 373731 375782 376605
Changes:
squirrelmail (2:1.4.7-1) unstable; urgency=low
.
* New upstream bugfix release.
+ Addresses some low-impact, theoretical or disputed security bugs,
for which the code is tightened just-in-case:
- Possible local file inclusion (Closes: #373731, CVE-2006-2842)
- XSS in search.php (Closes: #375782, CVE-2006-3174)
+ Adds note to db-backend.txt about postgreSQL (Closes: #376605).
.
* Checked for standards version to 3.7.2, no changes necessary.
* Update maintainer address.
Files:
9327e164914f423de04e95a14b6980f7 669 web optional squirrelmail_1.4.7-1.dsc
f53c91d7799cd8fd9d0550f2cc7a8815 612756 web optional squirrelmail_1.4.7.orig.tar.gz
b93c6d5e765e18df230d220bc3e4ebc0 18213 web optional squirrelmail_1.4.7-1.diff.gz
be828f0b1f980489834606c7c4bab164 609220 web optional squirrelmail_1.4.7-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEq8s9JdKMxZV9WM8RAh8JAKDNSA8+MvS8JsekBxT1by0L7z2RkwCgoxX6
9D+A8pczhxgx6BGqcvm3uyY=
=XIUu
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 26 Jun 2007 19:47:35 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:03:18 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon