--- branches/SM-1_4-STABLE/squirrelmail/functions/mime.php 2009/05/11 21:09:28 13666 +++ branches/SM-1_4-STABLE/squirrelmail/functions/mime.php 2009/05/11 21:17:50 13667 @@ -1965,6 +1965,12 @@ /** * Fix stupid css declarations which lead to vulnerabilities * in IE. + * + * Also remove "position" attribute, as it can easily be set + * to "fixed" or "absolute" with "left" and "top" attributes + * of zero, taking over the whole content frame. It can also + * be set to relative and move itself anywhere it wants to, + * displaying content in areas it shouldn't be allowed to touch. */ $match = Array('/\/\*.*\*\//', '/expression/i', @@ -1972,8 +1978,9 @@ '/binding/i', '/include-source/i', '/javascript/i', - '/script/i'); - $replace = Array('','idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy'); + '/script/i', + '/position/i'); + $replace = Array('','idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', ''); $contentNew = preg_replace($match, $replace, $contentTemp); if ($contentNew !== $contentTemp) { // insecure css declarations are used. From now on we don't care @@ -2366,12 +2373,28 @@ "/binding/i", "/behaviou*r/i", "/include-source/i", - "/position\s*:\s*absolute/i", + + // position:relative can also be exploited + // to put content outside of email body area + // and position:fixed is similarly exploitable + // as position:absolute, so we'll remove it + // altogether.... + // + // Does this screw up legitimate HTML messages? + // If so, the only fix I see is to allow position + // attributes (any values? I think we still have + // to block static and fixed) only if $use_iframe + // is enabled (1.5.0+) + // + // was: "/position\s*:\s*absolute/i", + // + "/position\s*:/i", + "/(\\\\)?u(\\\\)?r(\\\\)?l(\\\\)?/i", "/url\s*\(\s*([\'\"])\s*\S+script\s*:.*([\'\"])\s*\)/si", "/url\s*\(\s*([\'\"])\s*mocha\s*:.*([\'\"])\s*\)/si", "/url\s*\(\s*([\'\"])\s*about\s*:.*([\'\"])\s*\)/si", - "/(.*)\s*:\s*url\s*\(\s*([\'\"]*)\s*\S+script\s*:.*([\'\"]*)\s*\)/si" + "/(.*)\s*:\s*url\s*\(\s*([\'\"]*)\s*\S+script\s*:.*([\'\"]*)\s*\)/si", ), Array( "",