diff -up squirrelmail-1.4.8/functions/options.php.CVE-2010-4555 squirrelmail-1.4.8/functions/options.php --- squirrelmail-1.4.8/functions/options.php.CVE-2010-4555 2011-09-14 16:37:02.062398795 +0200 +++ squirrelmail-1.4.8/functions/options.php 2011-09-14 16:41:11.935157803 +0200 @@ -383,6 +383,21 @@ function save_option($option) { /* Can't save the pref if we don't have the username */ return; } + + // if the widget is a selection list, make sure the new + // value is actually in the selection list and is not an + // injection attack + // + if ($option->type == SMOPT_TYPE_STRLIST + && !array_key_exists($option->new_value, $option->possible_values)) + return; + + + // all other widgets except TEXTAREAs should never be allowed to have newlines + // + else if ($option->type != SMOPT_TYPE_TEXTAREA) + $option->new_value = str_replace(array("\r", "\n"), '', $option->new_value); + global $data_dir; setPref($data_dir, $username, $option->name, $option->new_value); } @@ -503,4 +518,4 @@ function OptionSubmit( $name ) { } // vim: et ts=4 -?> \ No newline at end of file +?> diff -up squirrelmail-1.4.8/plugins/squirrelspell/modules/check_me.mod.CVE-2010-4555 squirrelmail-1.4.8/plugins/squirrelspell/modules/check_me.mod --- squirrelmail-1.4.8/plugins/squirrelspell/modules/check_me.mod.CVE-2010-4555 2011-09-14 16:42:06.992544218 +0200 +++ squirrelmail-1.4.8/plugins/squirrelspell/modules/check_me.mod 2011-09-14 16:44:13.296429130 +0200 @@ -266,7 +266,7 @@ if ($errors){ $extrajs.= "var sqspell_lines=new Array();\n"; for ($i=0; $i<sizeof($sqspell_lines); $i++){ $extrajs.= "sqspell_lines[$i] = \"" - . chop(addslashes($sqspell_lines[$i])) . "\";\n"; + . chop(addcslashes($sqspell_lines[$i], ">'\"\\\x0")) . "\";\n"; } $extrajs.= "\n\n"; @@ -474,4 +474,4 @@ if ($errors){ * End: * vim: syntax=php */ -?> \ No newline at end of file +?> diff -up squirrelmail-1.4.8/src/empty_trash.php.CVE-2010-4555 squirrelmail-1.4.8/src/empty_trash.php --- squirrelmail-1.4.8/src/empty_trash.php.CVE-2010-4555 2011-09-14 16:44:47.930671412 +0200 +++ squirrelmail-1.4.8/src/empty_trash.php 2011-09-14 16:45:27.728949630 +0200 @@ -33,6 +33,11 @@ sqgetGlobalVar('onetimepad', $onetimepad /* finished globals */ +// first do a security check +if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_FORM)) + $submitted_token = ''; +sm_validate_security_token($submitted_token, 3600, TRUE); + $imap_stream = sqimap_login($username, $key, $imapServerAddress, $imapPort, 0); sqimap_mailbox_list($imap_stream); @@ -48,6 +53,7 @@ $boxes = sqimap_mailbox_list($imap_strea /** First create the top node in the tree **/ $numboxes = count($boxes); +$foldersTree = array(); for ($i = 0; $i < $numboxes; $i++) { if (($boxes[$i]['unformatted'] == $mailbox) && (strlen($boxes[$i]['unformatted']) == strlen($mailbox))) { $foldersTree[0]['value'] = $mailbox; @@ -78,4 +84,4 @@ $location = get_location(); // force_refresh = 1 in case trash contains deleted mailboxes header ("Location: $location/left_main.php?force_refresh=1"); -?> \ No newline at end of file +?> diff -up squirrelmail-1.4.8/src/left_main.php.CVE-2010-4555 squirrelmail-1.4.8/src/left_main.php --- squirrelmail-1.4.8/src/left_main.php.CVE-2010-4555 2011-09-14 16:45:45.019070433 +0200 +++ squirrelmail-1.4.8/src/left_main.php 2011-09-14 16:46:30.873390660 +0200 @@ -100,7 +100,7 @@ function formatMailboxName($imapConnecti if (($numMessages > 0) or ($box_array['parent'] == 1)) { $urlMailbox = urlencode($real_box); $line .= "\n<small>\n" . - ' (<a href="empty_trash.php" style="text-decoration:none">'._("Purge").'</a>)' . + ' (<a href="empty_trash.php?smtoken=' . sm_generate_security_token() . '" style="text-decoration:none">'._("Purge").'</a>)' . '</small>'; } } else { @@ -469,4 +469,4 @@ sqimap_logout($imapConnection); ?> </td></tr></table> -</body></html> \ No newline at end of file +</body></html> diff -up squirrelmail-1.4.8/src/options_order.php.CVE-2010-4555 squirrelmail-1.4.8/src/options_order.php --- squirrelmail-1.4.8/src/options_order.php.CVE-2010-4555 2011-09-14 16:46:56.211567456 +0200 +++ squirrelmail-1.4.8/src/options_order.php 2011-09-14 16:52:01.835797355 +0200 @@ -28,12 +28,16 @@ require_once(SM_PATH . 'functions/html.p require_once(SM_PATH . 'functions/forms.php'); /* get globals */ -sqgetGlobalVar('num', $num, SQ_GET); +if (sqgetGlobalVar('num', $num, SQ_GET)) + $num = (int)$num; +else + $num = 0; + sqgetGlobalVar('add', $add, SQ_POST); sqgetGlobalVar('submit', $submit); sqgetGlobalVar('method', $method); -if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) { +if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_FORM)) { $submitted_token = ''; } /* end of get globals */ @@ -58,17 +62,21 @@ displayPageHeader($color, 'None'); if (! isset($method)) { $method = ''; } - if ($method == 'up' && $num > 1) { + if ($method == 'up' && $num > 0 && $num > 1) { $prev = $num-1; $tmp = $index_order[$prev]; $index_order[$prev] = $index_order[$num]; $index_order[$num] = $tmp; - } else if ($method == 'down' && $num < count($index_order)) { + } else if ($method == 'down' && $num > 0 && $num < count($index_order)) { $next = $num++; $tmp = $index_order[$next]; $index_order[$next] = $index_order[$num]; $index_order[$num] = $tmp; - } else if ($method == 'remove' && $num) { + } else if ($method == 'remove' && $num > 0) { + + // first do a security check + sm_validate_security_token($submitted_token, 3600, TRUE); + for ($i=1; $i < 8; $i++) { removePref($data_dir, $username, "order$i"); } @@ -121,7 +129,7 @@ displayPageHeader($color, 'None'); echo html_tag( 'td' ); /* Always show the subject */ if ($tmp != 4) - echo '<small><a href="options_order.php?method=remove&num=' . $i . '">' . _("remove") . '</a></small>'; + echo '<small><a href="options_order.php?method=remove&num=' . $i . '&smtoken=' . sm_generate_security_token() . '">' . _("remove") . '</a></small>'; else echo ' '; echo '</td>'; @@ -161,4 +169,4 @@ displayPageHeader($color, 'None'); </td></tr> </table> -</body></html> \ No newline at end of file +</body></html>