From b571d899ce8f4af7a4f07ce70eec898b95c64746 Mon Sep 17 00:00:00 2001 From: pdontthink Date: Mon, 21 Jun 2010 07:18:55 +0000 Subject: [PATCH] Fixed minor vulnerability in Mail Fetch plugin [CVE-2010-1637/TEHTRI-SA-2010-009] git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@13950 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- doc/ChangeLog | 1 + plugins/mail_fetch/README | 26 ++++++++++ plugins/mail_fetch/config_default.php | 53 ++++++++++++++++++++- plugins/mail_fetch/functions.php | 68 ++++++++++++++++++++++++++- plugins/mail_fetch/options.php | 45 +++++++++++++++++- 5 files changed, 188 insertions(+), 5 deletions(-) diff --git a/doc/ChangeLog b/doc/ChangeLog index c39d7cec..28d09132 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -342,6 +342,7 @@ Version 1.5.2 - SVN - Fix typo in SpamCop plugin. - Reduced default time security tokens stay valid from 30 days to 2 days (reduces chances of session data growing too large) + - Fixed minor vulnerability in Mail Fetch plugin [CVE-2010-1637/TEHTRI-SA-2010-009] Version 1.5.1 (branched on 2006-02-12) -------------------------------------- diff --git a/plugins/mail_fetch/README b/plugins/mail_fetch/README index e246a2fc..8e1e8e18 100644 --- a/plugins/mail_fetch/README +++ b/plugins/mail_fetch/README @@ -75,6 +75,32 @@ the "Encrypt Password" checkbox in the option page is not checked. If you reenter account's passwords the system will switch to encrypted mode. +Security +======== + +By default, the user is not allowed to enter a non-standard POP3 port +number when configuring an external server with this plugin. This prevents +the use of this plugin as a port scanner against other servers. However, +if you need to allow users to access a POP3 service running on a non- +standard port, you may create a "config.php" file by copying "config_example.php" +and editing the list of allowable port numbers therein. If "ALL" is added +to the list of allowable port numbers, then there will be no restriction +on port numbers whatsoever. Be aware that although this may not represent +any security threat to servers elsewhere on the Internet that does not +already exist (other port scanners are freely available), if your server +resides on a network behind a firewall, this could allow a malicious user +to scan the servers and services behind your firewall that they'd normally +not have access to. + +The user will also not be allowed to enter server addresses starting +with "10.", "192.", "127." and "localhost" by default. This prevents users +from being able to scan an internal network for the presence of other servers +they are not allowed to access. If other server addresses should be banned, +or this list is too restrictive, you may create a "config.php" file by copying +"config_example.php" and then edit the list of blocked server addresses +therein. + + Future Work =========== diff --git a/plugins/mail_fetch/config_default.php b/plugins/mail_fetch/config_default.php index ff154f89..2e7d6379 100644 --- a/plugins/mail_fetch/config_default.php +++ b/plugins/mail_fetch/config_default.php @@ -10,9 +10,58 @@ * @subpackage mail_fetch */ + /** - * Controls use of unsubscribed folders in plugin. Change this to true if it is - * allowed to store fetched messages in unsubscribed folders. + * Controls use of unsubscribed folders in plugin. Change this to true + * and save this file as "config.php" if it is allowed to store + * fetched messages in unsubscribed folders. */ $mail_fetch_allow_unsubscribed = false; + + +// This is the list of POP3 ports the user may specify. +// +// Usually, this does not need to be used at all, and +// ports 110 and 995 will be the only available ports. +// +// If users are allowed to access POP3 that is served +// on a non-standard port, you'll need to add that port +// to this list and make sure this file is saved as +// "config.php" in the mail_fetch plugin directory +// +// If you do not wish to restrict the allowable port +// numbers at all, include "ALL" in this list. +// +$mail_fetch_allowable_ports = array(110, 995); + + + +// This is a pattern match that allows you to block +// access to certain server addresses. This prevents +// a user from attempting to try to specify certain +// servers when adding a POP3 address. +// +// By default, this plugin will block POP3 server +// addresses starting with "10.", "192.", "127." and +// "localhost" (the pattern shown below). +// +// If you want to block other addresses, you'll need +// to add them to this pattern and make sure that this +// file is saved as "config.php" in the mail_fetch +// plugin diretory +// +// If you do not wish to restrict the allowable server +// addresses at all, set this value to be "UNRESTRICTED" +// +// This is a full regular expression pattern +// +// Allow anything: +// +// $mail_fetch_block_server_pattern = 'UNRESTRICTED'; +// +// Default pattern: +// +$mail_fetch_block_server_pattern = '/(^10\.)|(^192\.)|(^127\.)|(^localhost)/'; + + diff --git a/plugins/mail_fetch/functions.php b/plugins/mail_fetch/functions.php index 807323d1..921e86eb 100644 --- a/plugins/mail_fetch/functions.php +++ b/plugins/mail_fetch/functions.php @@ -22,7 +22,8 @@ include_once (SM_PATH . 'plugins/mail_fetch/constants.php'); include_once (SM_PATH . 'plugins/mail_fetch/class.mail_fetch.php'); /** declare plugin globals */ -global $mail_fetch_allow_unsubscribed; +global $mail_fetch_allow_unsubscribed, $mail_fetch_allowable_ports, + $mail_fetch_block_server_pattern; /** * Add link to menu at top of content pane @@ -417,3 +418,68 @@ function mail_fetch_check_noselect($imap_stream,$imap_folder) { } return false; } + +/** + * Validate a requested POP3 port number + * + * Allowable port numbers are configured in config.php + * (see config_example.php for an example and more + * rules about how the list of allowable port numbers + * can be specified) + * + * @param int $requested_port The port number given by the user + * + * @return string An error string is returned if the port + * number is not allowable, otherwise an + * empty string is returned. + * + */ +function validate_mail_fetch_port_number($requested_port) { + global $mail_fetch_allowable_ports; + if (empty($mail_fetch_allowable_ports)) + $mail_fetch_allowable_ports = array(110, 995); + + if (in_array('ALL', $mail_fetch_allowable_ports)) + return ''; + + if (!in_array($requested_port, $mail_fetch_allowable_ports)) { + sq_change_text_domain('mail_fetch'); + $error = _("Sorry, that port number is not allowed"); + sq_change_text_domain('squirrelmail'); + return $error; + } + + return ''; +} + +/** + * Validate a requested POP3 server address + * + * Blocked server addresses are configured in config.php + * (see config_example.php for more details) + * + * @param int $requested_address The server address given by the user + * + * @return string An error string is returned if the server + * address is not allowable, otherwise an + * empty string is returned. + * + */ +function validate_mail_fetch_server_address($requested_address) { + global $mail_fetch_block_server_pattern; + if (empty($mail_fetch_block_server_pattern)) + $mail_fetch_block_server_pattern = '/(^10\.)|(^192\.)|(^127\.)|(^localhost)/'; + + if ($mail_fetch_block_server_pattern == 'UNRESTRICTED') + return ''; + + if (preg_match($mail_fetch_block_server_pattern, $requested_address)) { + sq_change_text_domain('mail_fetch'); + $error = _("Sorry, that server address is not allowed"); + sq_change_text_domain('squirrelmail'); + return $error; + } + + return ''; +} + diff --git a/plugins/mail_fetch/options.php b/plugins/mail_fetch/options.php index 0cba822f..73455338 100644 --- a/plugins/mail_fetch/options.php +++ b/plugins/mail_fetch/options.php @@ -56,6 +56,8 @@ sqgetGlobalVar('mf_lmos', $mf_lmos, SQ_POST); sqgetGlobalVar('mf_auth', $mf_auth, SQ_POST); sqgetGlobalVar('mf_type', $mf_type, SQ_POST); sqgetGlobalVar('submit_mailfetch', $submit_mailfetch, SQ_POST); +$mf_port = trim($mf_port); +$mf_server = trim($mf_server); /* end globals */ @@ -64,6 +66,19 @@ displayPageHeader( $color ); switch( $mf_action ) { case 'add': + + $mf_action = 'config'; + + // restrict port number if necessary + // + $message = validate_mail_fetch_port_number($mf_port); + if (!empty($message)) break; + + // restrict server address if necessary + // + $message = validate_mail_fetch_server_address($mf_server); + if (!empty($message)) break; + if ($mf_sn<1) $mf_sn=0; if (!isset($mf_server)) return; setPref($data_dir,$username,"mailfetch_server_$mf_sn", (isset($mf_server)?$mf_server:"")); @@ -88,10 +103,28 @@ switch( $mf_action ) { setPref($data_dir,$username,"mailfetch_type_$mf_sn",(isset($mf_type)?$mf_type:MAIL_FETCH_USE_PLAIN)); $mf_sn++; setPref($data_dir,$username,'mailfetch_server_number', $mf_sn); - $mf_action = 'config'; break; + + // modify a server + // case 'confirm_modify': - //modify a server + + // restrict port number if necessary + // + $message = validate_mail_fetch_port_number($mf_port); + if (!empty($message)) { + $mf_action = 'Modify'; + break; + } + + // restrict server address if necessary + // + $message = validate_mail_fetch_server_address($mf_server); + if (!empty($message)) { + $mf_action = 'Modify'; + break; + } + if (!isset($mf_server)) return; setPref($data_dir,$username,"mailfetch_server_$mf_sn", (isset($mf_server)?$mf_server:"")); setPref($data_dir,$username,"mailfetch_port_$mf_sn", (isset($mf_port)?$mf_port:110)); @@ -209,6 +242,14 @@ echo '
' . ) , 'center', '', 'width="95%"' ); +// display error or other messages if necessary +// +if (!empty($message)) { + echo html_tag( 'table', '', 'center', '', 'width="70%" cellpadding="5" cellspacing="1"' ) . + html_tag( 'tr', + html_tag( 'td', '' . $message . '', 'center', $color[2] )); +} + switch( $mf_action ) { case 'config': echo html_tag( 'table', '', 'center', '', 'width="70%" cellpadding="5" cellspacing="1"' ) . -- 2.25.1