From ce102fcc55bdbde46a6ecd8897c0df0567f19610 Mon Sep 17 00:00:00 2001 From: pdontthink Date: Tue, 12 Jul 2011 04:45:49 +0000 Subject: [PATCH] Fix XSS holes in generic options inputs, XSS hole in the SquirrelSpell plugin, and added anti-CSRF protection to the empty trash feature (thanks to Nicholas Carlini for finding all these issues) [CVE-2010-4555] git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@14120 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- doc/ChangeLog | 3 +++ functions/options.php | 15 +++++++++++++++ plugins/squirrelspell/modules/check_me.mod | 2 +- src/empty_trash.php | 4 ++++ templates/default/left_main.tpl | 2 +- templates/default_advanced/left_main.tpl | 2 +- 6 files changed, 25 insertions(+), 3 deletions(-) diff --git a/doc/ChangeLog b/doc/ChangeLog index a9c1710d..64fbb789 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -362,6 +362,9 @@ Version 1.5.2 - SVN to config_local.php. - Added clickjacking protection (thanks to Asbjorn Thorsen and Geir Hansen for bringing this to our attention). [CVE-2010-4554] + - Fixed XSS holes in generic options inputs, XSS hole in the SquirrelSpell + plugin, and added anti-CSRF protection to the empty trash feature (thanks + to Nicholas Carlini for finding all these issues). [CVE-2010-4555] Version 1.5.1 (branched on 2006-02-12) -------------------------------------- diff --git a/functions/options.php b/functions/options.php index 0935ebf8..a09f3a2e 100644 --- a/functions/options.php +++ b/functions/options.php @@ -831,6 +831,21 @@ function save_option($option) { return; } + // if the widget is a selection list, make sure the new + // value is actually in the selection list and is not an + // injection attack + // + if ($option->type == SMOPT_TYPE_STRLIST + && !array_key_exists($option->new_value, $option->possible_values)) + return; + + + // all other widgets except TEXTAREAs should never be allowed to have newlines + // + else if ($option->type != SMOPT_TYPE_TEXTAREA) + $option->new_value = str_replace(array("\r", "\n"), '', $option->new_value); + + global $data_dir; // edit lists: first add new elements to list, then diff --git a/plugins/squirrelspell/modules/check_me.mod b/plugins/squirrelspell/modules/check_me.mod index b15b21a9..d5cbd2ad 100644 --- a/plugins/squirrelspell/modules/check_me.mod +++ b/plugins/squirrelspell/modules/check_me.mod @@ -183,7 +183,7 @@ if ($errors){ for ($i=0; $i'\"\\\x0")) . "\";\n"; } $extrajs.= "\n\n"; diff --git a/src/empty_trash.php b/src/empty_trash.php index a71dd741..2c52f889 100644 --- a/src/empty_trash.php +++ b/src/empty_trash.php @@ -30,6 +30,10 @@ sqgetGlobalVar('delimiter', $delimiter, SQ_SESSION); /* finished globals */ +// first do a security check +sqgetGlobalVar('smtoken', $submitted_token, SQ_GET, ''); +sm_validate_security_token($submitted_token, 3600, TRUE); + $imap_stream = sqimap_login($username, false, $imapServerAddress, $imapPort, 0); $mailbox = $trash_folder; diff --git a/templates/default/left_main.tpl b/templates/default/left_main.tpl index 16288371..a64a5188 100644 --- a/templates/default/left_main.tpl +++ b/templates/default/left_main.tpl @@ -196,7 +196,7 @@ function buildMailboxTree ($box, $settings, $icon_theme_path, $indent_factor=0) $end .= ' ('.$unseen_str.')'; } $end .= "\n" . - '  ['. _("Purge").']' . + '  ['. _("Purge").']' . ''; } } else { diff --git a/templates/default_advanced/left_main.tpl b/templates/default_advanced/left_main.tpl index 061530c8..ef129fa5 100644 --- a/templates/default_advanced/left_main.tpl +++ b/templates/default_advanced/left_main.tpl @@ -305,7 +305,7 @@ extract($t); '; - echo '' . _("Purge Trash") . ''; -- 2.25.1