From f43698c16073faebd44898def87a8c40df8f4530 Mon Sep 17 00:00:00 2001 From: pdontthink Date: Mon, 11 May 2009 22:04:40 +0000 Subject: [PATCH] Sanitize decrypt_headers.php form input (base64 decoding is not the same as sanitizing), general cleanup and grammatical fixes. Thanks to Niels Teusink. (also CVE-2009-1578) git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@13671 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- contrib/decrypt_headers.php | 33 ++++++++++++++++++++------------- doc/ChangeLog | 5 ++++- 2 files changed, 24 insertions(+), 14 deletions(-) diff --git a/contrib/decrypt_headers.php b/contrib/decrypt_headers.php index a8d7ff1d..f053ed98 100644 --- a/contrib/decrypt_headers.php +++ b/contrib/decrypt_headers.php @@ -60,23 +60,30 @@ echo '"; if (sqgetGlobalVar('submit',$submit,SQ_POST)) { + $continue = TRUE; if (! sqgetGlobalVar('secret',$secret,SQ_POST) || - empty($secret)) - echo "

You must enter encryption key.

\n"; + empty($secret)) { + $continue = FALSE; + echo "

You must enter an encryption key.

\n"; + } if (! sqgetGlobalVar('enc_string',$enc_string,SQ_POST) || - empty($enc_string)) - echo "

You must enter encrypted string.

\n"; + empty($enc_string)) { + $continue = FALSE; + echo "

You must enter an encrypted string.

\n"; + } - if (isset($enc_string) && ! base64_decode($enc_string)) { - echo "

Encrypted string should be BASE64 encoded.
\n" - ."Please enter all characters that are listed after header name.

\n"; - } elseif (isset($secret)) { - $string=OneTimePadDecrypt($enc_string,base64_encode($secret)); + if ($continue) { + if (isset($enc_string) && ! base64_decode($enc_string)) { + echo "

Encrypted string should be BASE64 encoded.
\n" + ."Please enter all characters that are listed after header name.

\n"; + } elseif (isset($secret)) { + $string=OneTimePadDecrypt($enc_string,base64_encode($secret)); - if (sqgetGlobalVar('ip_addr',$is_addr,SQ_POST)) { - $string=hex2ip($string); + if (sqgetGlobalVar('ip_addr',$is_addr,SQ_POST)) { + $string=hex2ip($string); + } + echo "

Decoded string: ".htmlspecialchars($string)."

\n"; } - echo "

Decoded string: ".$string."

\n"; } echo "
"; } @@ -85,7 +92,7 @@ if (sqgetGlobalVar('submit',$submit,SQ_POST)) {

Secret key:
Encrypted string:
-Check, if it is an address string:
+

diff --git a/doc/ChangeLog b/doc/ChangeLog index 0eb45944..234feac5 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -296,8 +296,11 @@ Version 1.5.2 - SVN - Remove ability for HTML emails to use CSS positioning to overlay SquirrelMail content (Thanks to Luc Beurton). (#2723196) [CVE-2009-1581] - Fixed improper sanitizing of PHP_SELF and the lack of sanitizing of - QUERY_STRING server environment variables. (Thanks to Niels Teusink + QUERY_STRING server environment variables (Thanks to Niels Teusink and Christian Balzer). [CVE-2009-1578] + - Fixed the lack of sanitizing of contrib/decrypt_headers.php input; + also includes general cleanup of that page (Thanks to Niels Teusink). + [also CVE-2009-1578] Version 1.5.1 (branched on 2006-02-12) -------------------------------------- -- 2.25.1