diff -up squirrelmail-1.4.8/plugins/mail_fetch/config_example.php.CVE-2010-1637 squirrelmail-1.4.8/plugins/mail_fetch/config_example.php
--- squirrelmail-1.4.8/plugins/mail_fetch/config_example.php.CVE-2010-1637 2011-09-14 16:14:47.831408009 +0200
+++ squirrelmail-1.4.8/plugins/mail_fetch/config_example.php 2011-09-14 16:15:08.389503772 +0200
@@ -0,0 +1,61 @@
+<?php
+
+/**
+ * mail_fetch/config_example.php
+ *
+ * Configuration file for the mailfetch plugin.
+ *
+ * @copyright 1999-2010 The SquirrelMail Project Team
+ * @license http://opensource.org/licenses/gpl-license.php GNU Public License
+ * @version $Id: functions.php 13893 2010-01-25 02:47:41Z pdontthink $
+ * @package plugins
+ * @subpackage mail_fetch
+ */
+
+global $mail_fetch_allowable_ports, $mail_fetch_block_server_pattern;
+
+
+// This is the list of POP3 ports the user may specify.
+//
+// Usually, this does not need to be used at all, and
+// ports 110 and 995 will be the only available ports.
+//
+// If users are allowed to access POP3 that is served
+// on a non-standard port, you'll need to add that port
+// to this list and make sure this file is saved as
+// "config.php" in the mail_fetch plugin directory
+//
+// If you do not wish to restrict the allowable port
+// numbers at all, include "ALL" in this list.
+//
+$mail_fetch_allowable_ports = array(110, 995);
+
+
+
+// This is a pattern match that allows you to block
+// access to certain server addresses. This prevents
+// a user from attempting to try to specify certain
+// servers when adding a POP3 address.
+//
+// By default, this plugin will block POP3 server
+// addresses starting with "10.", "192.", "127." and
+// "localhost" (the pattern shown below).
+//
+// If you want to block other addresses, you'll need
+// to add them to this pattern and make sure that this
+// file is saved as "config.php" in the mail_fetch
+// plugin diretory
+//
+// If you do not wish to restrict the allowable server
+// addresses at all, set this value to be "UNRESTRICTED"
+//
+// This is a full regular expression pattern
+//
+// Allow anything:
+//
+// $mail_fetch_block_server_pattern = 'UNRESTRICTED';
+//
+// Default pattern:
+//
+$mail_fetch_block_server_pattern = '/(^10\.)|(^192\.)|(^127\.)|(^localhost)/';
+
diff -up squirrelmail-1.4.8/plugins/mail_fetch/functions.php.CVE-2010-1637 squirrelmail-1.4.8/plugins/mail_fetch/functions.php
--- squirrelmail-1.4.8/plugins/mail_fetch/functions.php.CVE-2010-1637 2011-09-14 16:15:31.759612802 +0200
+++ squirrelmail-1.4.8/plugins/mail_fetch/functions.php 2011-09-14 16:17:04.143045708 +0200
@@ -25,6 +25,72 @@ global $mail_fetch_allow_unsubscribed;
*/
$mail_fetch_allow_unsubscribed = false;
+/**
+ * Validate a requested POP3 port number
+ *
+ * Allowable port numbers are configured in config.php
+ * (see config_example.php for an example and more
+ * rules about how the list of allowable port numbers
+ * can be specified)
+ *
+ * @param int $requested_port The port number given by the user
+ *
+ * @return string An error string is returned if the port
+ * number is not allowable, otherwise an
+ * empty string is returned.
+ *
+ */
+function validate_mail_fetch_port_number($requested_port) {
+ global $mail_fetch_allowable_ports;
+ @include_once(SM_PATH . 'plugins/mail_fetch/config.php');
+ if (empty($mail_fetch_allowable_ports))
+ $mail_fetch_allowable_ports = array(110, 995);
+
+ if (in_array('ALL', $mail_fetch_allowable_ports))
+ return '';
+
+ if (!in_array($requested_port, $mail_fetch_allowable_ports)) {
+ sq_change_text_domain('mail_fetch');
+ $error = _("Sorry, that port number is not allowed");
+ sq_change_text_domain('squirrelmail');
+ return $error;
+ }
+
+ return '';
+}
+
+/**
+ * Validate a requested POP3 server address
+ *
+ * Blocked server addresses are configured in config.php
+ * (see config_example.php for more details)
+ *
+ * @param int $requested_address The server address given by the user
+ *
+ * @return string An error string is returned if the server
+ * address is not allowable, otherwise an
+ * empty string is returned.
+ *
+ */
+function validate_mail_fetch_server_address($requested_address) {
+ global $mail_fetch_block_server_pattern;
+ @include_once(SM_PATH . 'plugins/mail_fetch/config.php');
+ if (empty($mail_fetch_block_server_pattern))
+ $mail_fetch_block_server_pattern = '/(^10\.)|(^192\.)|(^127\.)|(^localhost)/';
+
+ if ($mail_fetch_block_server_pattern == 'UNRESTRICTED')
+ return '';
+
+ if (preg_match($mail_fetch_block_server_pattern, $requested_address)) {
+ sq_change_text_domain('mail_fetch');
+ $error = _("Sorry, that server address is not allowed");
+ sq_change_text_domain('squirrelmail');
+ return $error;
+ }
+
+ return '';
+}
+
function hex2bin( $data ) {
/* Original code by josh@superfork.com */
@@ -124,4 +190,4 @@ function mail_fetch_check_noselect($imap
}
return false;
}
-?>
\ No newline at end of file
+?>
diff -up squirrelmail-1.4.8/plugins/mail_fetch/options.php.CVE-2010-1637 squirrelmail-1.4.8/plugins/mail_fetch/options.php
--- squirrelmail-1.4.8/plugins/mail_fetch/options.php.CVE-2010-1637 2011-09-14 16:17:46.905247104 +0200
+++ squirrelmail-1.4.8/plugins/mail_fetch/options.php 2011-09-14 16:20:37.976059050 +0200
@@ -49,7 +49,8 @@ sqgetGlobalVar('mf_login', $mf_l
sqgetGlobalVar('mf_fref', $mf_fref, SQ_POST);
sqgetGlobalVar('mf_lmos', $mf_lmos, SQ_POST);
sqgetGlobalVar('submit_mailfetch', $submit_mailfetch, SQ_POST);
-
+$mf_port = trim($mf_port);
+$mf_server = trim($mf_server);
/* end globals */
@@ -57,6 +58,19 @@ sqgetGlobalVar('submit_mailfetch', $subm
switch( $mf_action ) {
case 'add':
+
+ $mf_action = 'config';
+
+ // restrict port number if necessary
+ //
+ $message = validate_mail_fetch_port_number($mf_port);
+ if (!empty($message)) break;
+
+ // restrict server address if necessary
+ //
+ $message = validate_mail_fetch_server_address($mf_server);
+ if (!empty($message)) break;
+
if ($mf_sn<1) $mf_sn=0;
if (!isset($mf_server)) return;
setPref($data_dir,$username,"mailfetch_server_$mf_sn", (isset($mf_server)?$mf_server:""));
@@ -71,10 +85,25 @@ sqgetGlobalVar('submit_mailfetch', $subm
setPref($data_dir,$username,"mailfetch_subfolder_$mf_sn",(isset($mf_subfolder)?$mf_subfolder:""));
$mf_sn++;
setPref($data_dir,$username,'mailfetch_server_number', $mf_sn);
- $mf_action = 'config';
break;
case 'confirm_modify':
- //modify a server
+
+ // restrict port number if necessary
+ //
+ $message = validate_mail_fetch_port_number($mf_port);
+ if (!empty($message)) {
+ $mf_action = 'Modify';
+ break;
+ }
+
+ // restrict server address if necessary
+ //
+ $message = validate_mail_fetch_server_address($mf_server);
+ if (!empty($message)) {
+ $mf_action = 'Modify';
+ break;
+ }
+
if (!isset($mf_server)) return;
setPref($data_dir,$username,"mailfetch_server_$mf_sn", (isset($mf_server)?$mf_server:""));
setPref($data_dir,$username,"mailfetch_port_$mf_sn", (isset($mf_port)?$mf_port:110));
@@ -176,6 +205,14 @@ sqgetGlobalVar('submit_mailfetch', $subm
) ,
'center', '', 'width="95%"' );
+ // display error or other messages if necessary
+ //
+ if (!empty($message)) {
+ echo html_tag( 'table', '', 'center', '', 'width="70%" cellpadding="5" cellspacing="1"' ) .
+ html_tag( 'tr',
+ html_tag( 'td', '<b>' . $message . '</b>', 'center', $color[2] ));
+ }
+
switch( $mf_action ) {
case 'config':
echo html_tag( 'table', '', 'center', '', 'width="70%" cellpadding="5" cellspacing="1"' ) .
@@ -383,4 +420,4 @@ sqgetGlobalVar('submit_mailfetch', $subm
}
?>
-</body></html>
\ No newline at end of file
+</body></html>
diff -up squirrelmail-1.4.8/plugins/mail_fetch/README.CVE-2010-1637 squirrelmail-1.4.8/plugins/mail_fetch/README
--- squirrelmail-1.4.8/plugins/mail_fetch/README.CVE-2010-1637 2011-09-14 16:13:41.784101423 +0200
+++ squirrelmail-1.4.8/plugins/mail_fetch/README 2011-09-14 16:14:03.694202952 +0200
@@ -74,6 +74,31 @@ pref files, with no encrypted passwords.
the "Encrypt Password" checkbox in the option page is not checked. If you
reenter account's passwords the system will switch to encrypted mode.
+Security
+========
+
+By default, the user is not allowed to enter a non-standard POP3 port
+number when configuring an external server with this plugin. This prevents
+the use of this plugin as a port scanner against other servers. However,
+if you need to allow users to access a POP3 service running on a non-
+standard port, you may create a "config.php" file by copying "config_example.php"
+and editing the list of allowable port numbers therein. If "ALL" is added
+to the list of allowable port numbers, then there will be no restriction
+on port numbers whatsoever. Be aware that although this may not represent
+any security threat to servers elsewhere on the Internet that does not
+already exist (other port scanners are freely available), if your server
+resides on a network behind a firewall, this could allow a malicious user
+to scan the servers and services behind your firewall that they'd normally
+not have access to.
+
+The user will also not be allowed to enter server addresses starting
+with "10.", "192.", "127." and "localhost" by default. This prevents users
+from being able to scan an internal network for the presence of other servers
+they are not allowed to access. If other server addresses should be banned,
+or this list is too restrictive, you may create a "config.php" file by copying
+"config_example.php" and then edit the list of blocked server addresses
+therein.
+
Future Work
===========
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
990dbf0cedc5e7df39833eaf1ef25821
>
files
>
16
