diff -up squirrelmail-1.4.8/plugins/mail_fetch/config_example.php.CVE-2010-1637 squirrelmail-1.4.8/plugins/mail_fetch/config_example.php --- squirrelmail-1.4.8/plugins/mail_fetch/config_example.php.CVE-2010-1637 2011-09-14 16:14:47.831408009 +0200 +++ squirrelmail-1.4.8/plugins/mail_fetch/config_example.php 2011-09-14 16:15:08.389503772 +0200 @@ -0,0 +1,61 @@ +<?php + +/** + * mail_fetch/config_example.php + * + * Configuration file for the mailfetch plugin. + * + * @copyright 1999-2010 The SquirrelMail Project Team + * @license http://opensource.org/licenses/gpl-license.php GNU Public License + * @version $Id: functions.php 13893 2010-01-25 02:47:41Z pdontthink $ + * @package plugins + * @subpackage mail_fetch + */ + +global $mail_fetch_allowable_ports, $mail_fetch_block_server_pattern; + + +// This is the list of POP3 ports the user may specify. +// +// Usually, this does not need to be used at all, and +// ports 110 and 995 will be the only available ports. +// +// If users are allowed to access POP3 that is served +// on a non-standard port, you'll need to add that port +// to this list and make sure this file is saved as +// "config.php" in the mail_fetch plugin directory +// +// If you do not wish to restrict the allowable port +// numbers at all, include "ALL" in this list. +// +$mail_fetch_allowable_ports = array(110, 995); + + + +// This is a pattern match that allows you to block +// access to certain server addresses. This prevents +// a user from attempting to try to specify certain +// servers when adding a POP3 address. +// +// By default, this plugin will block POP3 server +// addresses starting with "10.", "192.", "127." and +// "localhost" (the pattern shown below). +// +// If you want to block other addresses, you'll need +// to add them to this pattern and make sure that this +// file is saved as "config.php" in the mail_fetch +// plugin diretory +// +// If you do not wish to restrict the allowable server +// addresses at all, set this value to be "UNRESTRICTED" +// +// This is a full regular expression pattern +// +// Allow anything: +// +// $mail_fetch_block_server_pattern = 'UNRESTRICTED'; +// +// Default pattern: +// +$mail_fetch_block_server_pattern = '/(^10\.)|(^192\.)|(^127\.)|(^localhost)/'; + diff -up squirrelmail-1.4.8/plugins/mail_fetch/functions.php.CVE-2010-1637 squirrelmail-1.4.8/plugins/mail_fetch/functions.php --- squirrelmail-1.4.8/plugins/mail_fetch/functions.php.CVE-2010-1637 2011-09-14 16:15:31.759612802 +0200 +++ squirrelmail-1.4.8/plugins/mail_fetch/functions.php 2011-09-14 16:17:04.143045708 +0200 @@ -25,6 +25,72 @@ global $mail_fetch_allow_unsubscribed; */ $mail_fetch_allow_unsubscribed = false; +/** + * Validate a requested POP3 port number + * + * Allowable port numbers are configured in config.php + * (see config_example.php for an example and more + * rules about how the list of allowable port numbers + * can be specified) + * + * @param int $requested_port The port number given by the user + * + * @return string An error string is returned if the port + * number is not allowable, otherwise an + * empty string is returned. + * + */ +function validate_mail_fetch_port_number($requested_port) { + global $mail_fetch_allowable_ports; + @include_once(SM_PATH . 'plugins/mail_fetch/config.php'); + if (empty($mail_fetch_allowable_ports)) + $mail_fetch_allowable_ports = array(110, 995); + + if (in_array('ALL', $mail_fetch_allowable_ports)) + return ''; + + if (!in_array($requested_port, $mail_fetch_allowable_ports)) { + sq_change_text_domain('mail_fetch'); + $error = _("Sorry, that port number is not allowed"); + sq_change_text_domain('squirrelmail'); + return $error; + } + + return ''; +} + +/** + * Validate a requested POP3 server address + * + * Blocked server addresses are configured in config.php + * (see config_example.php for more details) + * + * @param int $requested_address The server address given by the user + * + * @return string An error string is returned if the server + * address is not allowable, otherwise an + * empty string is returned. + * + */ +function validate_mail_fetch_server_address($requested_address) { + global $mail_fetch_block_server_pattern; + @include_once(SM_PATH . 'plugins/mail_fetch/config.php'); + if (empty($mail_fetch_block_server_pattern)) + $mail_fetch_block_server_pattern = '/(^10\.)|(^192\.)|(^127\.)|(^localhost)/'; + + if ($mail_fetch_block_server_pattern == 'UNRESTRICTED') + return ''; + + if (preg_match($mail_fetch_block_server_pattern, $requested_address)) { + sq_change_text_domain('mail_fetch'); + $error = _("Sorry, that server address is not allowed"); + sq_change_text_domain('squirrelmail'); + return $error; + } + + return ''; +} + function hex2bin( $data ) { /* Original code by josh@superfork.com */ @@ -124,4 +190,4 @@ function mail_fetch_check_noselect($imap } return false; } -?> \ No newline at end of file +?> diff -up squirrelmail-1.4.8/plugins/mail_fetch/options.php.CVE-2010-1637 squirrelmail-1.4.8/plugins/mail_fetch/options.php --- squirrelmail-1.4.8/plugins/mail_fetch/options.php.CVE-2010-1637 2011-09-14 16:17:46.905247104 +0200 +++ squirrelmail-1.4.8/plugins/mail_fetch/options.php 2011-09-14 16:20:37.976059050 +0200 @@ -49,7 +49,8 @@ sqgetGlobalVar('mf_login', $mf_l sqgetGlobalVar('mf_fref', $mf_fref, SQ_POST); sqgetGlobalVar('mf_lmos', $mf_lmos, SQ_POST); sqgetGlobalVar('submit_mailfetch', $submit_mailfetch, SQ_POST); - +$mf_port = trim($mf_port); +$mf_server = trim($mf_server); /* end globals */ @@ -57,6 +58,19 @@ sqgetGlobalVar('submit_mailfetch', $subm switch( $mf_action ) { case 'add': + + $mf_action = 'config'; + + // restrict port number if necessary + // + $message = validate_mail_fetch_port_number($mf_port); + if (!empty($message)) break; + + // restrict server address if necessary + // + $message = validate_mail_fetch_server_address($mf_server); + if (!empty($message)) break; + if ($mf_sn<1) $mf_sn=0; if (!isset($mf_server)) return; setPref($data_dir,$username,"mailfetch_server_$mf_sn", (isset($mf_server)?$mf_server:"")); @@ -71,10 +85,25 @@ sqgetGlobalVar('submit_mailfetch', $subm setPref($data_dir,$username,"mailfetch_subfolder_$mf_sn",(isset($mf_subfolder)?$mf_subfolder:"")); $mf_sn++; setPref($data_dir,$username,'mailfetch_server_number', $mf_sn); - $mf_action = 'config'; break; case 'confirm_modify': - //modify a server + + // restrict port number if necessary + // + $message = validate_mail_fetch_port_number($mf_port); + if (!empty($message)) { + $mf_action = 'Modify'; + break; + } + + // restrict server address if necessary + // + $message = validate_mail_fetch_server_address($mf_server); + if (!empty($message)) { + $mf_action = 'Modify'; + break; + } + if (!isset($mf_server)) return; setPref($data_dir,$username,"mailfetch_server_$mf_sn", (isset($mf_server)?$mf_server:"")); setPref($data_dir,$username,"mailfetch_port_$mf_sn", (isset($mf_port)?$mf_port:110)); @@ -176,6 +205,14 @@ sqgetGlobalVar('submit_mailfetch', $subm ) , 'center', '', 'width="95%"' ); + // display error or other messages if necessary + // + if (!empty($message)) { + echo html_tag( 'table', '', 'center', '', 'width="70%" cellpadding="5" cellspacing="1"' ) . + html_tag( 'tr', + html_tag( 'td', '<b>' . $message . '</b>', 'center', $color[2] )); + } + switch( $mf_action ) { case 'config': echo html_tag( 'table', '', 'center', '', 'width="70%" cellpadding="5" cellspacing="1"' ) . @@ -383,4 +420,4 @@ sqgetGlobalVar('submit_mailfetch', $subm } ?> -</body></html> \ No newline at end of file +</body></html> diff -up squirrelmail-1.4.8/plugins/mail_fetch/README.CVE-2010-1637 squirrelmail-1.4.8/plugins/mail_fetch/README --- squirrelmail-1.4.8/plugins/mail_fetch/README.CVE-2010-1637 2011-09-14 16:13:41.784101423 +0200 +++ squirrelmail-1.4.8/plugins/mail_fetch/README 2011-09-14 16:14:03.694202952 +0200 @@ -74,6 +74,31 @@ pref files, with no encrypted passwords. the "Encrypt Password" checkbox in the option page is not checked. If you reenter account's passwords the system will switch to encrypted mode. +Security +======== + +By default, the user is not allowed to enter a non-standard POP3 port +number when configuring an external server with this plugin. This prevents +the use of this plugin as a port scanner against other servers. However, +if you need to allow users to access a POP3 service running on a non- +standard port, you may create a "config.php" file by copying "config_example.php" +and editing the list of allowable port numbers therein. If "ALL" is added +to the list of allowable port numbers, then there will be no restriction +on port numbers whatsoever. Be aware that although this may not represent +any security threat to servers elsewhere on the Internet that does not +already exist (other port scanners are freely available), if your server +resides on a network behind a firewall, this could allow a malicious user +to scan the servers and services behind your firewall that they'd normally +not have access to. + +The user will also not be allowed to enter server addresses starting +with "10.", "192.", "127." and "localhost" by default. This prevents users +from being able to scan an internal network for the presence of other servers +they are not allowed to access. If other server addresses should be banned, +or this list is too restrictive, you may create a "config.php" file by copying +"config_example.php" and then edit the list of blocked server addresses +therein. + Future Work ===========