- Fix typo in SpamCop plugin.
- Reduced default time security tokens stay valid from 30 days to 2 days
(reduces chances of session data growing too large)
+ - Fixed minor vulnerability in Mail Fetch plugin [CVE-2010-1637/TEHTRI-SA-2010-009]
Version 1.5.1 (branched on 2006-02-12)
--------------------------------------
reenter account's passwords the system will switch to encrypted mode.
+Security
+========
+
+By default, the user is not allowed to enter a non-standard POP3 port
+number when configuring an external server with this plugin. This prevents
+the use of this plugin as a port scanner against other servers. However,
+if you need to allow users to access a POP3 service running on a non-
+standard port, you may create a "config.php" file by copying "config_example.php"
+and editing the list of allowable port numbers therein. If "ALL" is added
+to the list of allowable port numbers, then there will be no restriction
+on port numbers whatsoever. Be aware that although this may not represent
+any security threat to servers elsewhere on the Internet that does not
+already exist (other port scanners are freely available), if your server
+resides on a network behind a firewall, this could allow a malicious user
+to scan the servers and services behind your firewall that they'd normally
+not have access to.
+
+The user will also not be allowed to enter server addresses starting
+with "10.", "192.", "127." and "localhost" by default. This prevents users
+from being able to scan an internal network for the presence of other servers
+they are not allowed to access. If other server addresses should be banned,
+or this list is too restrictive, you may create a "config.php" file by copying
+"config_example.php" and then edit the list of blocked server addresses
+therein.
+
+
Future Work
===========
* @subpackage mail_fetch
*/
+
/**
- * Controls use of unsubscribed folders in plugin. Change this to true if it is
- * allowed to store fetched messages in unsubscribed folders.
+ * Controls use of unsubscribed folders in plugin. Change this to true
+ * and save this file as "config.php" if it is allowed to store
+ * fetched messages in unsubscribed folders.
*/
$mail_fetch_allow_unsubscribed = false;
+
+
+// This is the list of POP3 ports the user may specify.
+//
+// Usually, this does not need to be used at all, and
+// ports 110 and 995 will be the only available ports.
+//
+// If users are allowed to access POP3 that is served
+// on a non-standard port, you'll need to add that port
+// to this list and make sure this file is saved as
+// "config.php" in the mail_fetch plugin directory
+//
+// If you do not wish to restrict the allowable port
+// numbers at all, include "ALL" in this list.
+//
+$mail_fetch_allowable_ports = array(110, 995);
+
+
+
+// This is a pattern match that allows you to block
+// access to certain server addresses. This prevents
+// a user from attempting to try to specify certain
+// servers when adding a POP3 address.
+//
+// By default, this plugin will block POP3 server
+// addresses starting with "10.", "192.", "127." and
+// "localhost" (the pattern shown below).
+//
+// If you want to block other addresses, you'll need
+// to add them to this pattern and make sure that this
+// file is saved as "config.php" in the mail_fetch
+// plugin diretory
+//
+// If you do not wish to restrict the allowable server
+// addresses at all, set this value to be "UNRESTRICTED"
+//
+// This is a full regular expression pattern
+//
+// Allow anything:
+//
+// $mail_fetch_block_server_pattern = 'UNRESTRICTED';
+//
+// Default pattern:
+//
+$mail_fetch_block_server_pattern = '/(^10\.)|(^192\.)|(^127\.)|(^localhost)/';
+
+
include_once (SM_PATH . 'plugins/mail_fetch/class.mail_fetch.php');
/** declare plugin globals */
-global $mail_fetch_allow_unsubscribed;
+global $mail_fetch_allow_unsubscribed, $mail_fetch_allowable_ports,
+ $mail_fetch_block_server_pattern;
/**
* Add link to menu at top of content pane
}
return false;
}
+
+/**
+ * Validate a requested POP3 port number
+ *
+ * Allowable port numbers are configured in config.php
+ * (see config_example.php for an example and more
+ * rules about how the list of allowable port numbers
+ * can be specified)
+ *
+ * @param int $requested_port The port number given by the user
+ *
+ * @return string An error string is returned if the port
+ * number is not allowable, otherwise an
+ * empty string is returned.
+ *
+ */
+function validate_mail_fetch_port_number($requested_port) {
+ global $mail_fetch_allowable_ports;
+ if (empty($mail_fetch_allowable_ports))
+ $mail_fetch_allowable_ports = array(110, 995);
+
+ if (in_array('ALL', $mail_fetch_allowable_ports))
+ return '';
+
+ if (!in_array($requested_port, $mail_fetch_allowable_ports)) {
+ sq_change_text_domain('mail_fetch');
+ $error = _("Sorry, that port number is not allowed");
+ sq_change_text_domain('squirrelmail');
+ return $error;
+ }
+
+ return '';
+}
+
+/**
+ * Validate a requested POP3 server address
+ *
+ * Blocked server addresses are configured in config.php
+ * (see config_example.php for more details)
+ *
+ * @param int $requested_address The server address given by the user
+ *
+ * @return string An error string is returned if the server
+ * address is not allowable, otherwise an
+ * empty string is returned.
+ *
+ */
+function validate_mail_fetch_server_address($requested_address) {
+ global $mail_fetch_block_server_pattern;
+ if (empty($mail_fetch_block_server_pattern))
+ $mail_fetch_block_server_pattern = '/(^10\.)|(^192\.)|(^127\.)|(^localhost)/';
+
+ if ($mail_fetch_block_server_pattern == 'UNRESTRICTED')
+ return '';
+
+ if (preg_match($mail_fetch_block_server_pattern, $requested_address)) {
+ sq_change_text_domain('mail_fetch');
+ $error = _("Sorry, that server address is not allowed");
+ sq_change_text_domain('squirrelmail');
+ return $error;
+ }
+
+ return '';
+}
+
sqgetGlobalVar('mf_auth', $mf_auth, SQ_POST);
sqgetGlobalVar('mf_type', $mf_type, SQ_POST);
sqgetGlobalVar('submit_mailfetch', $submit_mailfetch, SQ_POST);
+$mf_port = trim($mf_port);
+$mf_server = trim($mf_server);
/* end globals */
switch( $mf_action ) {
case 'add':
+
+ $mf_action = 'config';
+
+ // restrict port number if necessary
+ //
+ $message = validate_mail_fetch_port_number($mf_port);
+ if (!empty($message)) break;
+
+ // restrict server address if necessary
+ //
+ $message = validate_mail_fetch_server_address($mf_server);
+ if (!empty($message)) break;
+
if ($mf_sn<1) $mf_sn=0;
if (!isset($mf_server)) return;
setPref($data_dir,$username,"mailfetch_server_$mf_sn", (isset($mf_server)?$mf_server:""));
setPref($data_dir,$username,"mailfetch_type_$mf_sn",(isset($mf_type)?$mf_type:MAIL_FETCH_USE_PLAIN));
$mf_sn++;
setPref($data_dir,$username,'mailfetch_server_number', $mf_sn);
- $mf_action = 'config';
break;
+
+ // modify a server
+ //
case 'confirm_modify':
- //modify a server
+
+ // restrict port number if necessary
+ //
+ $message = validate_mail_fetch_port_number($mf_port);
+ if (!empty($message)) {
+ $mf_action = 'Modify';
+ break;
+ }
+
+ // restrict server address if necessary
+ //
+ $message = validate_mail_fetch_server_address($mf_server);
+ if (!empty($message)) {
+ $mf_action = 'Modify';
+ break;
+ }
+
if (!isset($mf_server)) return;
setPref($data_dir,$username,"mailfetch_server_$mf_sn", (isset($mf_server)?$mf_server:""));
setPref($data_dir,$username,"mailfetch_port_$mf_sn", (isset($mf_port)?$mf_port:110));
) ,
'center', '', 'width="95%"' );
+// display error or other messages if necessary
+//
+if (!empty($message)) {
+ echo html_tag( 'table', '', 'center', '', 'width="70%" cellpadding="5" cellspacing="1"' ) .
+ html_tag( 'tr',
+ html_tag( 'td', '<b>' . $message . '</b>', 'center', $color[2] ));
+}
+
switch( $mf_action ) {
case 'config':
echo html_tag( 'table', '', 'center', '', 'width="70%" cellpadding="5" cellspacing="1"' ) .
projects / squirrelmail.git / commitdiff