diff -up squirrelmail-1.4.8/functions/options.php.CVE-2010-4555 squirrelmail-1.4.8/functions/options.php
--- squirrelmail-1.4.8/functions/options.php.CVE-2010-4555 2011-09-14 16:37:02.062398795 +0200
+++ squirrelmail-1.4.8/functions/options.php 2011-09-14 16:41:11.935157803 +0200
@@ -383,6 +383,21 @@ function save_option($option) {
/* Can't save the pref if we don't have the username */
return;
}
+
+ // if the widget is a selection list, make sure the new
+ // value is actually in the selection list and is not an
+ // injection attack
+ //
+ if ($option->type == SMOPT_TYPE_STRLIST
+ && !array_key_exists($option->new_value, $option->possible_values))
+ return;
+
+
+ // all other widgets except TEXTAREAs should never be allowed to have newlines
+ //
+ else if ($option->type != SMOPT_TYPE_TEXTAREA)
+ $option->new_value = str_replace(array("\r", "\n"), '', $option->new_value);
+
global $data_dir;
setPref($data_dir, $username, $option->name, $option->new_value);
}
@@ -503,4 +518,4 @@ function OptionSubmit( $name ) {
}
// vim: et ts=4
-?>
\ No newline at end of file
+?>
diff -up squirrelmail-1.4.8/plugins/squirrelspell/modules/check_me.mod.CVE-2010-4555 squirrelmail-1.4.8/plugins/squirrelspell/modules/check_me.mod
--- squirrelmail-1.4.8/plugins/squirrelspell/modules/check_me.mod.CVE-2010-4555 2011-09-14 16:42:06.992544218 +0200
+++ squirrelmail-1.4.8/plugins/squirrelspell/modules/check_me.mod 2011-09-14 16:44:13.296429130 +0200
@@ -266,7 +266,7 @@ if ($errors){
$extrajs.= "var sqspell_lines=new Array();\n";
for ($i=0; $i<sizeof($sqspell_lines); $i++){
$extrajs.= "sqspell_lines[$i] = \""
- . chop(addslashes($sqspell_lines[$i])) . "\";\n";
+ . chop(addcslashes($sqspell_lines[$i], ">'\"\\\x0")) . "\";\n";
}
$extrajs.= "\n\n";
@@ -474,4 +474,4 @@ if ($errors){
* End:
* vim: syntax=php
*/
-?>
\ No newline at end of file
+?>
diff -up squirrelmail-1.4.8/src/empty_trash.php.CVE-2010-4555 squirrelmail-1.4.8/src/empty_trash.php
--- squirrelmail-1.4.8/src/empty_trash.php.CVE-2010-4555 2011-09-14 16:44:47.930671412 +0200
+++ squirrelmail-1.4.8/src/empty_trash.php 2011-09-14 16:45:27.728949630 +0200
@@ -33,6 +33,11 @@ sqgetGlobalVar('onetimepad', $onetimepad
/* finished globals */
+// first do a security check
+if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_FORM))
+ $submitted_token = '';
+sm_validate_security_token($submitted_token, 3600, TRUE);
+
$imap_stream = sqimap_login($username, $key, $imapServerAddress, $imapPort, 0);
sqimap_mailbox_list($imap_stream);
@@ -48,6 +53,7 @@ $boxes = sqimap_mailbox_list($imap_strea
/** First create the top node in the tree **/
$numboxes = count($boxes);
+$foldersTree = array();
for ($i = 0; $i < $numboxes; $i++) {
if (($boxes[$i]['unformatted'] == $mailbox) && (strlen($boxes[$i]['unformatted']) == strlen($mailbox))) {
$foldersTree[0]['value'] = $mailbox;
@@ -78,4 +84,4 @@ $location = get_location();
// force_refresh = 1 in case trash contains deleted mailboxes
header ("Location: $location/left_main.php?force_refresh=1");
-?>
\ No newline at end of file
+?>
diff -up squirrelmail-1.4.8/src/left_main.php.CVE-2010-4555 squirrelmail-1.4.8/src/left_main.php
--- squirrelmail-1.4.8/src/left_main.php.CVE-2010-4555 2011-09-14 16:45:45.019070433 +0200
+++ squirrelmail-1.4.8/src/left_main.php 2011-09-14 16:46:30.873390660 +0200
@@ -100,7 +100,7 @@ function formatMailboxName($imapConnecti
if (($numMessages > 0) or ($box_array['parent'] == 1)) {
$urlMailbox = urlencode($real_box);
$line .= "\n<small>\n" .
- ' (<a href="empty_trash.php" style="text-decoration:none">'._("Purge").'</a>)' .
+ ' (<a href="empty_trash.php?smtoken=' . sm_generate_security_token() . '" style="text-decoration:none">'._("Purge").'</a>)' .
'</small>';
}
} else {
@@ -469,4 +469,4 @@ sqimap_logout($imapConnection);
?>
</td></tr></table>
-</body></html>
\ No newline at end of file
+</body></html>
diff -up squirrelmail-1.4.8/src/options_order.php.CVE-2010-4555 squirrelmail-1.4.8/src/options_order.php
--- squirrelmail-1.4.8/src/options_order.php.CVE-2010-4555 2011-09-14 16:46:56.211567456 +0200
+++ squirrelmail-1.4.8/src/options_order.php 2011-09-14 16:52:01.835797355 +0200
@@ -28,12 +28,16 @@ require_once(SM_PATH . 'functions/html.p
require_once(SM_PATH . 'functions/forms.php');
/* get globals */
-sqgetGlobalVar('num', $num, SQ_GET);
+if (sqgetGlobalVar('num', $num, SQ_GET))
+ $num = (int)$num;
+else
+ $num = 0;
+
sqgetGlobalVar('add', $add, SQ_POST);
sqgetGlobalVar('submit', $submit);
sqgetGlobalVar('method', $method);
-if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) {
+if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_FORM)) {
$submitted_token = '';
}
/* end of get globals */
@@ -58,17 +62,21 @@ displayPageHeader($color, 'None');
if (! isset($method)) { $method = ''; }
- if ($method == 'up' && $num > 1) {
+ if ($method == 'up' && $num > 0 && $num > 1) {
$prev = $num-1;
$tmp = $index_order[$prev];
$index_order[$prev] = $index_order[$num];
$index_order[$num] = $tmp;
- } else if ($method == 'down' && $num < count($index_order)) {
+ } else if ($method == 'down' && $num > 0 && $num < count($index_order)) {
$next = $num++;
$tmp = $index_order[$next];
$index_order[$next] = $index_order[$num];
$index_order[$num] = $tmp;
- } else if ($method == 'remove' && $num) {
+ } else if ($method == 'remove' && $num > 0) {
+
+ // first do a security check
+ sm_validate_security_token($submitted_token, 3600, TRUE);
+
for ($i=1; $i < 8; $i++) {
removePref($data_dir, $username, "order$i");
}
@@ -121,7 +129,7 @@ displayPageHeader($color, 'None');
echo html_tag( 'td' );
/* Always show the subject */
if ($tmp != 4)
- echo '<small><a href="options_order.php?method=remove&num=' . $i . '">' . _("remove") . '</a></small>';
+ echo '<small><a href="options_order.php?method=remove&num=' . $i . '&smtoken=' . sm_generate_security_token() . '">' . _("remove") . '</a></small>';
else
echo ' ';
echo '</td>';
@@ -161,4 +169,4 @@ displayPageHeader($color, 'None');
</td></tr>
</table>
-</body></html>
\ No newline at end of file
+</body></html>
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
990dbf0cedc5e7df39833eaf1ef25821
>
files
>
19
