[gentoo-announce] [ GLSA 200603-09 ] SquirrelMail: Cross-site scripting and IMAP command injection - gentoo-announce

From:	Stefan Cornelius <dercorny@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200603-09 ] SquirrelMail: Cross-site scripting and IMAP command injection
Date:	Sun, 12 Mar 2006 15:13:11
Message-Id:	`200603121553.08128.dercorny@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200603-09

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Low

8

     Title: SquirrelMail: Cross-site scripting and IMAP command

9

            injection

10

      Date: March 12, 2006

11

      Bugs: #123781

12

        ID: 200603-09

13

14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

15

16

Synopsis

17

========

18

19

SquirrelMail is vulnerable to several cross-site scripting

20

vulnerabilities and IMAP command injection.

21

22

Background

23

==========

24

25

SquirrelMail is a webmail package written in PHP. It supports IMAP and

26

SMTP protocols.

27

28

Affected packages

29

=================

30

31

    -------------------------------------------------------------------

32

     Package                   /  Vulnerable  /             Unaffected

33

    -------------------------------------------------------------------

34

  1  mail-client/squirrelmail       < 1.4.6                   >= 1.4.6

35

36

Description

37

===========

38

39

SquirrelMail does not validate the right_frame parameter in

40

webmail.php, possibly allowing frame replacement or cross-site

41

scripting (CVE-2006-0188). Martijn Brinkers and Scott Hughes discovered

42

that MagicHTML fails to handle certain input correctly, potentially

43

leading to cross-site scripting (only Internet Explorer,

44

CVE-2006-0195). Vicente Aguilera reported that the

45

sqimap_mailbox_select function did not strip newlines from the mailbox

46

or subject parameter, possibly allowing IMAP command injection

47

(CVE-2006-0377).

48

49

Impact

50

======

51

52

By exploiting the cross-site scripting vulnerabilities, an attacker can

53

execute arbitrary scripts running in the context of the victim's

54

browser. This could lead to a compromise of the user's webmail account,

55

cookie theft, etc. A remote attacker could exploit the IMAP command

56

injection to execute arbitrary IMAP commands on the configured IMAP

57

server.

58

59

Workaround

60

==========

61

62

There is no known workaround at this time.

63

64

Resolution

65

==========

66

67

All SquirrelMail users should upgrade to the latest version:

68

69

    # emerge --sync

70

    # emerge --ask --oneshot --verbose ">=mail-client/squirrelmail-1.4.6"

71

72

Note: Users with the vhosts USE flag set should manually use

73

webapp-config to finalize the update.

74

75

References

76

==========

77

78

  [ 1 ] CVE-2006-0188

79

        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0188

80

  [ 2 ] CVE-2006-0195

81

        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0195

82

  [ 3 ] CVE-2006-0377

83

        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0377

84

85

Availability

86

============

87

88

This GLSA and any updates to it are available for viewing at

89

the Gentoo Security Website:

90

91

  http://security.gentoo.org/glsa/glsa-200603-09.xml

92

93

Concerns?

94

=========

95

96

Security is a primary focus of Gentoo Linux and ensuring the

97

confidentiality and security of our users machines is of utmost

98

importance to us. Any security concerns should be addressed to

99

security@g.o or alternatively, you may file a bug at

100

http://bugs.gentoo.org.

101

102

License

103

=======

104

105

Copyright 2006 Gentoo Foundation, Inc; referenced text

106

belongs to its owner(s).

107

108

The contents of this document are licensed under the

109

Creative Commons - Attribution / Share Alike license.

110

111

http://creativecommons.org/licenses/by-sa/2.0

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200603-09
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Low
8	Title: SquirrelMail: Cross-site scripting and IMAP command
9	injection
10	Date: March 12, 2006
11	Bugs: #123781
12	ID: 200603-09
13
14	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15
16	Synopsis
17	========
18
19	SquirrelMail is vulnerable to several cross-site scripting
20	vulnerabilities and IMAP command injection.
21
22	Background
23	==========
24
25	SquirrelMail is a webmail package written in PHP. It supports IMAP and
26	SMTP protocols.
27
28	Affected packages
29	=================
30
31	-------------------------------------------------------------------
32	Package / Vulnerable / Unaffected
33	-------------------------------------------------------------------
34	1 mail-client/squirrelmail < 1.4.6 >= 1.4.6
35
36	Description
37	===========
38
39	SquirrelMail does not validate the right_frame parameter in
40	webmail.php, possibly allowing frame replacement or cross-site
41	scripting (CVE-2006-0188). Martijn Brinkers and Scott Hughes discovered
42	that MagicHTML fails to handle certain input correctly, potentially
43	leading to cross-site scripting (only Internet Explorer,
44	CVE-2006-0195). Vicente Aguilera reported that the
45	sqimap_mailbox_select function did not strip newlines from the mailbox
46	or subject parameter, possibly allowing IMAP command injection
47	(CVE-2006-0377).
48
49	Impact
50	======
51
52	By exploiting the cross-site scripting vulnerabilities, an attacker can
53	execute arbitrary scripts running in the context of the victim's
54	browser. This could lead to a compromise of the user's webmail account,
55	cookie theft, etc. A remote attacker could exploit the IMAP command
56	injection to execute arbitrary IMAP commands on the configured IMAP
57	server.
58
59	Workaround
60	==========
61
62	There is no known workaround at this time.
63
64	Resolution
65	==========
66
67	All SquirrelMail users should upgrade to the latest version:
68
69	# emerge --sync
70	# emerge --ask --oneshot --verbose ">=mail-client/squirrelmail-1.4.6"
71
72	Note: Users with the vhosts USE flag set should manually use
73	webapp-config to finalize the update.
74
75	References
76	==========
77
78	[ 1 ] CVE-2006-0188
79	http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0188
80	[ 2 ] CVE-2006-0195
81	http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0195
82	[ 3 ] CVE-2006-0377
83	http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0377
84
85	Availability
86	============
87
88	This GLSA and any updates to it are available for viewing at
89	the Gentoo Security Website:
90
91	http://security.gentoo.org/glsa/glsa-200603-09.xml
92
93	Concerns?
94	=========
95
96	Security is a primary focus of Gentoo Linux and ensuring the
97	confidentiality and security of our users machines is of utmost
98	importance to us. Any security concerns should be addressed to
99	security@g.o or alternatively, you may file a bug at
100	http://bugs.gentoo.org.
101
102	License
103	=======
104
105	Copyright 2006 Gentoo Foundation, Inc; referenced text
106	belongs to its owner(s).
107
108	The contents of this document are licensed under the
109	Creative Commons - Attribution / Share Alike license.
110
111	http://creativecommons.org/licenses/by-sa/2.0

Gentoo Archives: gentoo-announce