From 3824e89aa69f6db72f7f7789ac3fa78318c362b9 Mon Sep 17 00:00:00 2001 From: tokul Date: Sat, 30 Sep 2006 07:38:03 +0000 Subject: [PATCH] block uw mailbox abuse in imap select command instead of applying same code in all scripts that get $mailbox from GET or POST. don't check imap_server_type, because interface can be used with different type setting. display error message instead of silently overriding $mailbox. (#1557078) git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@11781 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- ChangeLog | 4 +++- functions/imap_mailbox.php | 19 +++++++++++++++++++ src/right_main.php | 5 ----- 3 files changed, 22 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5b87af57..08e01578 100644 --- a/ChangeLog +++ b/ChangeLog @@ -135,7 +135,9 @@ Version 1.5.2 - CVS - Added APOP, TLS and STLS support to mail_fetch plugin (#575299). - Added Courier IMAP OUTBOX check to configtest utility. - Moved login_form hook to its own table row on login page. - - Added check_plugin_version() function + - Added check_plugin_version() function. + - If mailbox name starts with slash or contains ../, error message is + generated. Safety check for insecure default UW IMAP setup (#1557078). Version 1.5.1 (branched on 2006-02-12) -------------------------------------- diff --git a/functions/imap_mailbox.php b/functions/imap_mailbox.php index 40ceac2d..b6a36c0f 100755 --- a/functions/imap_mailbox.php +++ b/functions/imap_mailbox.php @@ -364,8 +364,27 @@ function sqimap_mailbox_select ($imap_stream, $mailbox) { if ($mailbox == 'None') { return; } + // cleanup $mailbox in order to prevent IMAP injection attacks $mailbox = str_replace(array("\r","\n"), array("",""),$mailbox); + + /** + * Default UW IMAP server configuration allows to access other files + * on server. $imap_server_type is not checked because interface can + * be used with 'other' or any other server type setting. $mailbox + * variable can be modified in any script that uses variable from GET + * or POST. This code blocks all standard SquirrelMail IMAP API requests + * that use mailbox with full path (/etc/passwd) or with ../ characters + * in path (../../etc/passwd) + */ + if (strstr($mailbox, '../') || substr($mailbox, 0, 1) == '/') { + global $oTemplate; + error_box(sprintf(_("Invalid mailbox name: %s"),htmlspecialchars($mailbox))); + sqimap_logout($imap_stream); + $oTemplate->display('footer.tpl'); + die(); + } + $read = sqimap_run_command($imap_stream, 'SELECT ' . sqimap_encode_mailbox_name($mailbox), true, $response, $message); $result = array(); diff --git a/src/right_main.php b/src/right_main.php index e644d8d1..0e33723e 100644 --- a/src/right_main.php +++ b/src/right_main.php @@ -77,11 +77,6 @@ $imapConnection = sqimap_login($username, false, $imapServerAddress, $imapPort, $mailbox = (isset($mailbox) && $mailbox) ? $mailbox : 'INBOX'; -/* compensate for the UW vulnerability. */ -if ($imap_server_type == 'uw' && (strstr($mailbox, '../') || - substr($mailbox, 0, 1) == '/')) { - $mailbox = 'INBOX'; -} /** * Set the global settings for a mailbox and merge them with the usersettings * for the mailbox. In the future we can add more mailbox specific preferences -- 2.25.1