Bug 94945 (CVE-2005-2095)

Summary: VUL-0: CVE-2005-2095: squirrelmail unauthorized changing of variables
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: patch-request, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2005-2095: CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: sqm_144_ident.diff

Description Thomas Biege 2005-07-01 09:43:49 UTC 
Hi,
we have another one. 

From: Thijs Kinkhorst <kink@squirrelmail.org>
User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)
To: vendor-sec@lst.de
Subject: [vendor-sec] SquirrelMail vulnerability in options_identites.php
Errors-To: vendor-sec-admin@lst.de
Date: Fri, 01 Jul 2005 10:21:18 +0200

[-- PGP Ausgabe folgt (aktuelle Zeit: Fr 01 Jul 2005 11:39:59 CEST) --]
gpg: Unterschrift vom Fr 01 Jul 2005 10:21:20 CEST, DSA SchlÃŒssel ID 957D58CF
gpg: Unterschrift kann nicht geprÃŒft werden: Ãffentlicher SchlÃŒssel nicht gefunden
[-- Ende der PGP-Ausgabe --]

[-- Die folgenden Daten sind signiert --]

[-- Anhang #1 --]
[-- Typ: text/plain, Kodierung: 7bit, GröÃe: 1,1K --]

Hello all,

A new vulnerability has been discovered in SquirrelMail. The file
src/options_identities.php contained some very bad, legacy code: an
extract($_POST) was done, effectively allowing a malicious attacker to
change session variables and even other people's preferences.

It must be noted that for this to happen you need to trick someone into
using an external form to post the information which is not trivial.

Affected versions:
1.4.0 - 1.4.5-RC1  (current stable tree)
1.2.8 - 1.2.10     (unsupported old stable tree)
1.5.x CVS          (unsupported current development tree)

Not vulnerable:
Everything before 1.2.8.

Our proposed patch is attached; unfortunately we had to rework some
functions to fix them the right way because the previous code really
depended to the extract() call.

We will release 1.4.5 sometime next week with the patch included. Fixes
for unsupported trees will be applied to their CVS branches but no new
releases will be made.

Credits for finding the issue go to James Bercegay of GulfTech Security
Research.

Regards,
Thijs Kinkhorst
SquirrelMail Development Team

[-- Anhang #2: sqm_144_ident.diff --]
[-- Typ: text/plain, Kodierung: 7bit, GröÃe: 20K --]

===================================================================
Comment 1 Thomas Biege 2005-07-01 09:45:39 UTC 
Created attachment 40808 [details]
sqm_144_ident.diff

hope they get it right the first time. ;)
Comment 2 Thomas Biege 2005-07-01 09:55:27 UTC 
Maybe you can include it in the not-yet-checked-in squirrelmail package from the
last update.
Comment 3 Marian Jancar 2005-07-01 16:45:21 UTC 
ok
Comment 4 Marcus Meissner 2005-07-04 07:55:23 UTC 
CAN-2005-2095
Comment 5 Thomas Biege 2005-07-04 11:11:00 UTC 
SM-Tracker-1699
Comment 6 Marian Jancar 2005-07-04 13:07:48 UTC 
there seem to be the whitespace mangled in the patch
Comment 7 Marian Jancar 2005-07-04 13:48:27 UTC 
nevermind, it is allready in the cvs
Comment 8 Marian Jancar 2005-07-04 14:23:10 UTC 
except for the 1.2 its not there yet, will it be available before the issue goes
public?
Comment 9 Thomas Biege 2005-07-04 14:54:10 UTC 
Hm, I do not understand the last comment.
Comment 10 Marian Jancar 2005-07-04 16:29:31 UTC 
cvs of the squirrelmail 1.2 (that is in 8.2) is not fixed yet (in contrast to
the 1.4), if it will be (or we get the patch from the authors) before it goes
public I will wait, otherwise I will try to backport the patch for 1.4
Comment 11 Thomas Biege 2005-07-05 06:22:19 UTC 
Ah, ok. :)

I don't don't have any information regarding 1.2.
Would you mind asking the author? Thanks.
Comment 12 Ludwig Nussel 2005-07-11 14:50:09 UTC 
CRD July 13th
Comment 13 Marian Jancar 2005-07-11 19:09:11 UTC 
I will not have the fix for the 1.2 before the July 13, and as the support for
8.2 ends July 14, I think it is not worth working on it. Opinions?
Comment 14 Marcus Meissner 2005-07-12 07:34:28 UTC 
actually we stop accepting _NEW_ reports on july 14. 
 
however, i think we can skip 8.2 for this exact problem... 
 
9.0-9.3 fix is sufficient.
Comment 15 Marcus Meissner 2005-07-12 16:02:05 UTC 
can you please submit packages if you have any?
Comment 16 Marian Jancar 2005-07-12 16:42:48 UTC 
I'm testing, will submit them in about a hour.
Comment 17 Marian Jancar 2005-07-12 20:04:05 UTC 
fixes submited (I have been a bit too optimistic about the hour)
Comment 18 Marcus Meissner 2005-07-19 09:24:14 UTC 
updates approved.
Comment 19 Thomas Biege 2009-10-13 21:30:14 UTC 
CVE-2005-2095: CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)