Bugzilla – Bug 94945
VUL-0: CVE-2005-2095: squirrelmail unauthorized changing of variables
Last modified: 2021-11-21 15:35:57 UTC
Hi, we have another one. From: Thijs Kinkhorst <kink@squirrelmail.org> User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) To: vendor-sec@lst.de Subject: [vendor-sec] SquirrelMail vulnerability in options_identites.php Errors-To: vendor-sec-admin@lst.de Date: Fri, 01 Jul 2005 10:21:18 +0200 [-- PGP Ausgabe folgt (aktuelle Zeit: Fr 01 Jul 2005 11:39:59 CEST) --] gpg: Unterschrift vom Fr 01 Jul 2005 10:21:20 CEST, DSA SchlÃŒssel ID 957D58CF gpg: Unterschrift kann nicht geprÃŒft werden: Ãffentlicher SchlÃŒssel nicht gefunden [-- Ende der PGP-Ausgabe --] [-- Die folgenden Daten sind signiert --] [-- Anhang #1 --] [-- Typ: text/plain, Kodierung: 7bit, GröÃe: 1,1K --] Hello all, A new vulnerability has been discovered in SquirrelMail. The file src/options_identities.php contained some very bad, legacy code: an extract($_POST) was done, effectively allowing a malicious attacker to change session variables and even other people's preferences. It must be noted that for this to happen you need to trick someone into using an external form to post the information which is not trivial. Affected versions: 1.4.0 - 1.4.5-RC1 (current stable tree) 1.2.8 - 1.2.10 (unsupported old stable tree) 1.5.x CVS (unsupported current development tree) Not vulnerable: Everything before 1.2.8. Our proposed patch is attached; unfortunately we had to rework some functions to fix them the right way because the previous code really depended to the extract() call. We will release 1.4.5 sometime next week with the patch included. Fixes for unsupported trees will be applied to their CVS branches but no new releases will be made. Credits for finding the issue go to James Bercegay of GulfTech Security Research. Regards, Thijs Kinkhorst SquirrelMail Development Team [-- Anhang #2: sqm_144_ident.diff --] [-- Typ: text/plain, Kodierung: 7bit, GröÃe: 20K --] ===================================================================
Created attachment 40808 [details] sqm_144_ident.diff hope they get it right the first time. ;)
Maybe you can include it in the not-yet-checked-in squirrelmail package from the last update.
ok
CAN-2005-2095
SM-Tracker-1699
there seem to be the whitespace mangled in the patch
nevermind, it is allready in the cvs
except for the 1.2 its not there yet, will it be available before the issue goes public?
Hm, I do not understand the last comment.
cvs of the squirrelmail 1.2 (that is in 8.2) is not fixed yet (in contrast to the 1.4), if it will be (or we get the patch from the authors) before it goes public I will wait, otherwise I will try to backport the patch for 1.4
Ah, ok. :) I don't don't have any information regarding 1.2. Would you mind asking the author? Thanks.
CRD July 13th
I will not have the fix for the 1.2 before the July 13, and as the support for 8.2 ends July 14, I think it is not worth working on it. Opinions?
actually we stop accepting _NEW_ reports on july 14. however, i think we can skip 8.2 for this exact problem... 9.0-9.3 fix is sufficient.
can you please submit packages if you have any?
I'm testing, will submit them in about a hour.
fixes submited (I have been a bit too optimistic about the hour)
updates approved.
CVE-2005-2095: CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)