diff -up squirrelmail-1.4.8/config/conf.pl.secunia squirrelmail-1.4.8/config/conf.pl --- squirrelmail-1.4.8/config/conf.pl.secunia 2009-10-05 11:28:05.331426301 +0200 +++ squirrelmail-1.4.8/config/conf.pl 2009-10-05 11:28:05.423471058 +0200 @@ -336,6 +336,10 @@ if ( !$sendmail_args && $sendmail_path = # Added in 1.4.16 $only_secure_cookies = 'true' if ( !$only_secure_cookies ); +# Added in 1.4.20RC1 +$disable_security_tokens = 'false' if ( !$disable_security_tokens ); +$check_referrer = '' if ( !$check_referrer ); + if ( $ARGV[0] eq '--install-plugin' ) { print "Activating plugin " . $ARGV[1] . "\n"; push @plugins, $ARGV[1]; @@ -508,6 +512,8 @@ while ( ( $command ne "q" ) && ( $comman print "14. PHP session name : $WHT$session_name$NRM\n"; print "15. Location base : $WHT$config_location_base$NRM\n"; print "16. Only secure cookies if poss. : $WHT$only_secure_cookies$NRM\n"; + print "17. Disable secure forms : $WHT$disable_security_tokens$NRM\n"; + print "18. Page referal requirement : $WHT$check_referrer$NRM\n"; print "\n"; print "R Return to Main Menu\n"; } elsif ( $menu == 5 ) { @@ -723,6 +729,8 @@ while ( ( $command ne "q" ) && ( $comman elsif ( $command == 14 ) { $session_name = command314(); } elsif ( $command == 15 ) { $config_location_base = command_config_location_base(); } elsif ( $command == 16 ) { $only_secure_cookies = command316(); } + elsif ( $command == 17 ) { $disable_security_tokens = command317(); } + elsif ( $command == 18 ) { $check_referrer = command318(); } } elsif ( $menu == 5 ) { if ( $command == 1 ) { command41(); } elsif ( $command == 2 ) { $theme_css = command42(); } @@ -2303,6 +2311,63 @@ sub command316 { +# disable_security_tokens (since 1.4.20RC1) +sub command317 { + print "This option allows you to turn off the security checks in the forms\n"; + print "that SquirrelMail generates. It is NOT RECOMMENDED that you disable\n"; + print "this feature - otherwise, your users may be exposed to phishing and\n"; + print "other attacks.\n"; + print "Unless you know what you are doing, you should leave this set to \"NO\".\n"; + print "\n"; + + if ( lc($disable_security_tokens) eq 'true' ) { + $default_value = "y"; + } else { + $default_value = "n"; + } + print "Disable secure forms? (y/n) [$WHT$default_value$NRM]: $WHT"; + $disable_security_tokens = <STDIN>; + if ( ( $disable_security_tokens =~ /^y\n/i ) || ( ( $disable_security_tokens =~ /^\n/ ) && ( $default_value eq "y" ) ) ) { + $disable_security_tokens = 'true'; + } else { + $disable_security_tokens = 'false'; + } + return $disable_security_tokens; +} + + + +# check_referrer (since 1.4.20RC1) +sub command318 { + print "This option allows you to enable referal checks for all page requests\n"; + print "made to SquirrelMail. This can help ensure that page requests came\n"; + print "from the same server and not from an attacker's site (usually the\n"; + print "result of a XSS or phishing attack). To enable referal checking,\n"; + print "this setting can be set to the domain where your SquirrelMail is\n"; + print "being hosted (usually the same as the Domain setting under Server\n"; + print "Settings). For example, it could be \"example.com\", or if you\n"; + print "use a plugin (such as Login Manager) to host SquirrelMail on more\n"; + print "than one domain, you can set this to \"###DOMAIN###\" to tell it\n"; + print "to use the current domain.\n"; + print "\n"; + print "However, in some cases (where proxy servers are in use, etc.), the\n"; + print "domain might be different.\n"; + print "\n"; + print "NOTE that referal checks are not foolproof - they can be spoofed by\n"; + print "browsers, and some browsers intentionally don't send referal\n"; + print "information (in which case, the check is silently bypassed)\n"; + print "\n"; + + print "Referal requirement? [$WHT$check_referrer$NRM]: $WHT"; + $new_check_referrer = <STDIN>; + chomp($new_check_referrer); + $check_referrer = $new_check_referrer; + + return $check_referrer; +} + + + #################################################################################### #### THEMES #### sub command41 { @@ -3277,10 +3342,14 @@ sub save_data { print CF "\$session_name = '$session_name';\n"; # boolean - print CF "\$only_secure_cookies = $only_secure_cookies;\n"; + print CF "\$only_secure_cookies = $only_secure_cookies;\n"; + print CF "\$disable_security_tokens = $disable_security_tokens;\n"; + + # string + print CF "\$check_referrer = '$check_referrer';\n"; print CF "\n"; - print CF "\$config_location_base = '$config_location_base';\n"; + print CF "\$config_location_base = '$config_location_base';\n"; print CF "\n"; print CF "\@include SM_PATH . 'config/config_local.php';\n"; diff -up squirrelmail-1.4.8/functions/auth.php.secunia squirrelmail-1.4.8/functions/auth.php --- squirrelmail-1.4.8/functions/auth.php.secunia 2006-08-03 16:48:09.000000000 +0200 +++ squirrelmail-1.4.8/functions/auth.php 2009-10-05 11:28:05.424171414 +0200 @@ -33,17 +33,59 @@ if (! isset($use_smtp_tls)) { * Check if user has previously logged in to the SquirrelMail session. If user * has not logged in, execution will stop inside this function. * + * This function optionally checks the referrer of this page request. If the + * administrator wants to impose a check that the referrer of this page request + * is another page on the same domain (otherwise, the page request is likely + * the result of a XSS or phishing attack), then they need to specify the + * acceptable referrer domain in a variable named $check_referrer in + * config/config.php (or the configuration tool) for which the value is + * usually the same as the $domain setting (for example: + * $check_referrer = 'example.com'; + * However, in some cases (where proxy servers are in use, etc.), the + * acceptable referrer might be different. If $check_referrer is set to + * "###DOMAIN###", then the current value of $domain is used (useful in + * situations where $domain might change at runtime (when using the Login + * Manager plugin to host multiple domains with one SquirrelMail installation, + * for example)): + * $check_referrer = '###DOMAIN###'; + * NOTE HOWEVER, that referrer checks are not foolproof - they can be spoofed + * by browsers, and some browsers intentionally don't send them, in which + * case SquirrelMail silently ignores referrer checks. + * * @return int A positive value is returned if user has previously logged in * successfully. */ function is_logged_in() { - if ( sqsession_is_registered('user_is_logged_in') ) { + // check for user login as well as referrer if needed + // + global $check_referrer, $domain; + if ($check_referrer == '###DOMAIN###') $check_referrer = $domain; + if (!empty($check_referrer)) { + $ssl_check_referrer = 'https://' . $check_referrer; + $check_referrer = 'http://' . $check_referrer; + } + if (!sqgetGlobalVar('HTTP_REFERER', $referrer, SQ_SERVER)) $referrer = ''; + if (sqsession_is_registered('user_is_logged_in') + && (!$check_referrer || empty($referrer) + || ($check_referrer && !empty($referrer) + && (strpos(strtolower($referrer), strtolower($check_referrer)) === 0 + || strpos(strtolower($referrer), strtolower($ssl_check_referrer)) === 0)))) { return; } else { + global $PHP_SELF, $HTTP_POST_VARS, $_POST, $session_expired_post, $session_expired_location, $squirrelmail_language; + // use $message to indicate what logout text the user + // will see... if 0, typical "You must be logged in" + // if 1, information that the user session was saved + // and will be resumed after (re)login, if 2, there + // seems to have been a XSS or phishing attack (bad + // referrer) + // + $message = 0; + // First we store some information in the new session to prevent // information-loss. // @@ -55,11 +97,19 @@ function is_logged_in() { $session_expired_location = $PHP_SELF; if (!sqsession_is_registered('session_expired_post')) { sqsession_register($session_expired_post,'session_expired_post'); + $message = 1; } if (!sqsession_is_registered('session_expired_location')) { sqsession_register($session_expired_location,'session_expired_location'); + $message = 1; } + // was bad referrer the reason we were rejected? + // + if (sqsession_is_registered('user_is_logged_in') + && $check_referrer && !empty($referrer)) + $message = 2; + session_write_close(); // signout page will deal with users who aren't logged @@ -71,7 +121,12 @@ function is_logged_in() { include_once( SM_PATH . 'functions/display_messages.php' ); set_up_language($squirrelmail_language, true); - logout_error( _("You must be logged in to access this page.") ); + if (!$message) + logout_error( _("You must be logged in to access this page.") ); + else if ($message == 1) + logout_error( _("Your session has expired, but will be resumed after logging in again.") ); + else if ($message == 2) + logout_error( _("The current page request appears to have originated from an unrecognized source.") ); exit; } } diff -up squirrelmail-1.4.8/functions/forms.php.secunia squirrelmail-1.4.8/functions/forms.php --- squirrelmail-1.4.8/functions/forms.php.secunia 2006-04-15 00:27:07.000000000 +0200 +++ squirrelmail-1.4.8/functions/forms.php 2009-10-05 11:28:05.424171414 +0200 @@ -131,8 +131,24 @@ function addTextArea($name, $text = '', /** * Make a <form> start-tag. + * + * @param string $action + * @param string $method + * @param string $name + * @param string $enctype + * @param string $charset + * @param string $extra Any other attributes can be added with this parameter; + * they should use double quotes around attribute values + * (OPTIONAL; default empty) + * @param mixed $add_token When given as a string or as boolean TRUE, a hidden + * input is also added to the form containing a security + * token. When given as TRUE, the input name is "smtoken"; + * otherwise the name is the string that is given for this + * parameter. When FALSE, no hidden token input field is + * added. (OPTIONAL; default not used) + * */ -function addForm($action, $method = 'post', $name = '', $enctype = '', $charset = '') +function addForm($action, $method = 'post', $name = '', $enctype = '', $charset = '', $extra = '', $add_token = FALSE) { if($name) { $name = ' name="'.$name.'"'; @@ -144,8 +160,16 @@ function addForm($action, $method = 'pos $charset = ' accept-charset="'.htmlspecialchars($charset).'"'; } - return '<form action="'. $action .'" method="'. $method .'"'. - $enctype . $name . $charset . ">\n"; + $form_string = '<form action="'. $action .'" method="'. $method .'"'. + $enctype . $name . $charset . ' ' . $extra . " >\n"; + + if($add_token) { + $form_string .= '<input type="hidden" value="' . sm_generate_security_token() + . '" name="' . (is_string($add_token) ? $add_token : 'smtoken') + . "\" />\n"; + } + + return $form_string; } ?> \ No newline at end of file diff -up squirrelmail-1.4.8/functions/mailbox_display.php.secunia squirrelmail-1.4.8/functions/mailbox_display.php --- squirrelmail-1.4.8/functions/mailbox_display.php.secunia 2009-10-05 11:35:48.774112071 +0200 +++ squirrelmail-1.4.8/functions/mailbox_display.php 2009-10-05 11:35:48.823483476 +0200 @@ -316,7 +316,7 @@ function getServerMessages($imapConnecti $end_loop = $num_msgs - $start_msg + 1; } else { $end_loop = $show_num; - } + } return fillMessageArray($imapConnection,$id,$end_loop,$show_num); } else { return false; @@ -367,7 +367,7 @@ function getSelfSortMessages($imapConnec } else { $end_loop = $show_num; } - } + } $msgs = fillMessageArray($imapConnection,$id,$end_loop, $show_num); } return $msgs; @@ -441,7 +441,7 @@ function showMessagesForMailbox($imapCon sqgetGlobalVar('msort', $msort, SQ_SESSION); } else { sqsession_unregister('msort'); - sqsession_unregister('msgs'); + sqsession_unregister('msgs'); } switch ($mode) { case 'thread': @@ -694,6 +694,7 @@ function mail_message_listing_beginning $msg = ''; } $moveFields = '<input type="hidden" name="msg" value="'.htmlspecialchars($msg).'">' . "\n" . + '<input type="hidden" name="smtoken" value="'.sm_generate_security_token().'">' . "\n" . '<input type="hidden" name="mailbox" value="'.htmlspecialchars($mailbox).'">' . "\n" . '<input type="hidden" name="startMessage" value="'.htmlspecialchars($start_msg).'">' . "\n"; diff -up squirrelmail-1.4.8/functions/strings.php.secunia squirrelmail-1.4.8/functions/strings.php --- squirrelmail-1.4.8/functions/strings.php.secunia 2009-10-05 11:28:05.332426078 +0200 +++ squirrelmail-1.4.8/functions/strings.php 2009-10-05 11:28:05.425171187 +0200 @@ -858,6 +858,188 @@ function sq_trim_value ( &$value ) { $value = trim($value); } +/** + * Gathers the list of secuirty tokens currently + * stored in the user's preferences and optionally + * purges old ones from the list. + * + * @param boolean $purge_old Indicates if old tokens + * should be purged from the + * list ("old" is 30 days or + * older unless the administrator + * overrides that value using + * $max_security_token_age in + * config/config_local.php) + * (OPTIONAL; default is to always + * purge old tokens) + * + * @return array The list of tokens + * + * @since 1.4.19 and 1.5.2 + * + */ +function sm_get_user_security_tokens($purge_old=TRUE) +{ + + global $data_dir, $username, $max_token_age_days; + + $tokens = getPref($data_dir, $username, 'security_tokens', ''); + if (($tokens = unserialize($tokens)) === FALSE || !is_array($tokens)) + $tokens = array(); + + // purge old tokens if necessary + // + if ($purge_old) + { + if (empty($max_token_age_days)) $max_token_age_days = 30; + $now = time(); + $discard_token_date = $now - ($max_token_age_days * 86400); + $cleaned_tokens = array(); + foreach ($tokens as $token => $timestamp) + if ($timestamp >= $discard_token_date) + $cleaned_tokens[$token] = $timestamp; + $tokens = $cleaned_tokens; + } + + return $tokens; + +} + +/** + * Generates a security token that is then stored in + * the user's preferences with a timestamp for later + * verification/use. + * + * WARNING: If the administrator has turned the token system + * off by setting $disable_security_tokens to TRUE in + * config/config.php or the configuration tool, this + * function will not store tokens in the user + * preferences (but it will still generate and return + * a random string). + * + * @return void + * + * @since 1.4.19 and 1.5.2 + * + */ +function sm_generate_security_token() +{ + + global $data_dir, $username, $disable_security_tokens; + $max_generation_tries = 1000; + + $tokens = sm_get_user_security_tokens(); + + $new_token = GenerateRandomString(12, '', 7); + $count = 0; + while (isset($tokens[$new_token])) + { + $new_token = GenerateRandomString(12, '', 7); + if (++$count > $max_generation_tries) + { + logout_error(_("Fatal token generation error; please contact your system administrator or the SquirrelMail Team")); + exit; + } + } + + // is the token system enabled? CAREFUL! + // + if (!$disable_security_tokens) + { + $tokens[$new_token] = time(); + setPref($data_dir, $username, 'security_tokens', serialize($tokens)); + } + + return $new_token; + +} + +/** + * Validates a given security token and optionally remove it + * from the user's preferences if it was valid. If the token + * is too old but otherwise valid, it will still be rejected. + * + * "Too old" is 30 days or older unless the administrator + * overrides that value using $max_security_token_age in + * config/config_local.php + * + * WARNING: If the administrator has turned the token system + * off by setting $disable_security_tokens to TRUE in + * config/config.php or the configuration tool, this + * function will always return TRUE. + * + * @param string $token The token to validate + * @param int $validity_period The number of seconds tokens are valid + * for (set to zero to remove valid tokens + * after only one use; use 3600 to allow + * tokens to be reused for an hour) + * (OPTIONAL; default is to only allow tokens + * to be used once) + * @param boolean $show_error Indicates that if the token is not + * valid, this function should display + * a generic error, log the user out + * and exit - this function will never + * return in that case. + * (OPTIONAL; default FALSE) + * + * @return boolean TRUE if the token validated; FALSE otherwise + * + * @since 1.4.19 and 1.5.2 + * + */ +function sm_validate_security_token($token, $validity_period=0, $show_error=FALSE) +{ + + global $data_dir, $username, $max_token_age_days, + $disable_security_tokens; + + // bypass token validation? CAREFUL! + // + if ($disable_security_tokens) return TRUE; + + // don't purge old tokens here because we already + // do it when generating tokens + // + $tokens = sm_get_user_security_tokens(FALSE); + + // token not found? + // + if (empty($tokens[$token])) + { + if (!$show_error) return FALSE; + logout_error(_("This page request could not be verified and appears to have expired.")); + exit; + } + + $now = time(); + $timestamp = $tokens[$token]; + + // whether valid or not, we want to remove it from + // user prefs if it's old enough + // + if ($timestamp < $now - $validity_period) + { + unset($tokens[$token]); + setPref($data_dir, $username, 'security_tokens', serialize($tokens)); + } + + // reject tokens that are too old + // + if (empty($max_token_age_days)) $max_token_age_days = 30; + $old_token_date = $now - ($max_token_age_days * 86400); + if ($timestamp < $old_token_date) + { + if (!$show_error) return FALSE; + logout_error(_("The current page request appears to have originated from an untrusted source.")); + exit; + } + + // token OK! + // + return TRUE; + +} + $PHP_SELF = php_self(); ?> diff -up squirrelmail-1.4.8/plugins/delete_move_next/setup.php.secunia squirrelmail-1.4.8/plugins/delete_move_next/setup.php --- squirrelmail-1.4.8/plugins/delete_move_next/setup.php.secunia 2006-06-08 16:59:19.000000000 +0200 +++ squirrelmail-1.4.8/plugins/delete_move_next/setup.php 2009-10-05 11:28:05.425171187 +0200 @@ -184,13 +184,13 @@ function delete_move_next_read($currloc) "<td bgcolor=\"$color[9]\" width=\"100%\" align=\"center\"><small>"; if ($prev > 0){ - echo "<a href=\"read_body.php?passed_id=$prev_if_del&mailbox=$urlMailbox&sort=$sort&startMessage=$startMessage&show_more=0&delete_id=$passed_id\">" . _("Delete & Prev") . "</a>" . " | \n"; + echo "<a href=\"read_body.php?passed_id=$prev_if_del&mailbox=$urlMailbox&sort=$sort&startMessage=$startMessage&show_more=0&delete_id=$passed_id&smtoken=" . sm_generate_security_token() . "\">" . _("Delete & Prev") . "</a>" . " | \n"; } else { echo _("Delete & Prev") . " | "; } if ($next > 0){ - echo "<a href=\"read_body.php?passed_id=$next_if_del&mailbox=$urlMailbox&sort=$sort&startMessage=$startMessage&show_more=0&delete_id=$passed_id\">" . _("Delete & Next") . "</a>\n"; + echo "<a href=\"read_body.php?passed_id=$next_if_del&mailbox=$urlMailbox&sort=$sort&startMessage=$startMessage&show_more=0&delete_id=$passed_id&smtoken=" . sm_generate_security_token() . "\">" . _("Delete & Next") . "</a>\n"; } else { echo _("Delete & Next"); } @@ -240,6 +240,7 @@ function delete_move_next_moveNextForm($ "<form action=\"read_body.php?mailbox=$urlMailbox&sort=$sort&startMessage=$startMessage&passed_id=$next\" method=\"post\"><small>". "<input type=\"hidden\" name=\"show_more\" value=\"0\">". "<input type=\"hidden\" name=\"move_id\" value=\"$passed_id\">". + "<input type=\"hidden\" name=\"smtoken\" value=\"" . sm_generate_security_token() . "\">". _("Move to:") . ' <select name="targetMailbox">'; get_move_target_list(); @@ -263,6 +264,7 @@ function delete_move_next_moveRightMainF "<td bgcolor=\"$color[9]\" width=\"100%\" align=\"center\">". "<form action=\"right_main.php?mailbox=$urlMailbox&sort=$sort&startMessage=$startMessage\" method=\"post\"><small>" . "<input type=\"hidden\" name=\"move_id\" value=\"$passed_id\">". + "<input type=\"hidden\" name=\"smtoken\" value=\"" . sm_generate_security_token() . "\">". _("Move to:") . ' <select name="targetMailbox">'; get_move_target_list(); @@ -279,6 +281,12 @@ function delete_move_next_delete() { sqgetGlobalVar('delete_id', $delete_id, SQ_GET); sqgetGlobalVar('mailbox', $mailbox, SQ_GET); + if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_GET)) { + $submitted_token = ''; + } + + // first, validate security token + sm_validate_security_token($submitted_token, 3600, TRUE); sqimap_messages_delete($imapConnection, $delete_id, $delete_id, $mailbox); if ($auto_expunge) { @@ -294,6 +302,13 @@ function delete_move_next_move() { sqgetGlobalVar('mailbox', $mailbox, SQ_FORM); sqgetGlobalVar('targetMailbox', $targetMailbox, SQ_POST); + if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) { + $submitted_token = ''; + } + + // first, validate security token + sm_validate_security_token($submitted_token, 3600, TRUE); + // Move message sqimap_messages_copy($imapConnection, $move_id, $move_id, $targetMailbox); sqimap_messages_flag($imapConnection, $move_id, $move_id, 'Deleted', true); diff -up squirrelmail-1.4.8/plugins/newmail/newmail_opt.php.secunia squirrelmail-1.4.8/plugins/newmail/newmail_opt.php --- squirrelmail-1.4.8/plugins/newmail/newmail_opt.php.secunia 2009-10-05 11:40:03.240113790 +0200 +++ squirrelmail-1.4.8/plugins/newmail/newmail_opt.php 2009-10-05 11:40:03.296108415 +0200 @@ -69,6 +69,7 @@ echo '</td></tr>' . html_tag( 'td', '', 'center', $color[4] ) . "\n" . '<hr style="width: 25%; height: 1px;" />' . "\n"; echo '<form action="'.sqm_baseuri().'src/options.php" method="post">' . "\n" . + '<input type="hidden" name="smtoken" value="' . sm_generate_security_token() . '">' . "\n" . html_tag( 'table', '', '', '', 'width="100%" cellpadding="5" cellspacing="0" border="0"' ) . "\n"; // Option: media_allbox diff -up squirrelmail-1.4.8/plugins/spamcop/spamcop.php.secunia squirrelmail-1.4.8/plugins/spamcop/spamcop.php --- squirrelmail-1.4.8/plugins/spamcop/spamcop.php.secunia 2009-10-05 11:43:40.065113645 +0200 +++ squirrelmail-1.4.8/plugins/spamcop/spamcop.php 2009-10-05 11:43:40.122358477 +0200 @@ -153,6 +153,7 @@ echo "</p>"; $report_email = 'quick.' . $spamcop_id . '@spam.spamcop.net'; $form_action = SM_PATH . 'src/compose.php'; ?> <form method="post" action="<?PHP echo $form_action?>"> + <input type="hidden" name="smtoken" value="<?php echo sm_generate_security_token(); ?>" /> <input type="hidden" name="mailbox" value="<?PHP echo htmlspecialchars($mailbox) ?>" /> <input type="hidden" name="spamcop_is_composing" value="<?PHP echo htmlspecialchars($passed_id) ?>" /> <input type="hidden" name="send_to" value="<?PHP echo htmlspecialchars($report_email)?>" /> diff -up squirrelmail-1.4.8/plugins/squirrelspell/modules/lang_setup.mod.secunia squirrelmail-1.4.8/plugins/squirrelspell/modules/lang_setup.mod --- squirrelmail-1.4.8/plugins/squirrelspell/modules/lang_setup.mod.secunia 2009-10-05 11:41:37.842483368 +0200 +++ squirrelmail-1.4.8/plugins/squirrelspell/modules/lang_setup.mod 2009-10-05 11:42:35.003420972 +0200 @@ -16,6 +16,11 @@ * @subpackage squirrelspell */ +if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) { + $submitted_token = ''; +} +sm_validate_security_token($submitted_token, 3600, TRUE); + global $SQSPELL_APP; $msg = '<p>' @@ -23,6 +28,7 @@ $msg = '<p>' . '</p>' . '<form method="post">' . '<input type="hidden" name="MOD" value="lang_change" />' + . '<input type="hidden" name="smtoken" value="' . sm_generate_security_token() . '" />' . '<blockquote><p>'; /** * Present a nice listing. diff -up squirrelmail-1.4.8/src/addrbook_search_html.php.secunia squirrelmail-1.4.8/src/addrbook_search_html.php --- squirrelmail-1.4.8/src/addrbook_search_html.php.secunia 2006-04-15 00:27:08.000000000 +0200 +++ squirrelmail-1.4.8/src/addrbook_search_html.php 2009-10-05 11:28:05.425171187 +0200 @@ -72,7 +72,7 @@ function addr_display_result($res, $incl if (sizeof($res) <= 0) return; - echo addForm($PHP_SELF, 'POST', 'addrbook'). + echo addForm($PHP_SELF, 'POST', 'addrbook', '', '', '', TRUE). addHidden('html_addr_search_done', 'true'); addr_insert_hidden(); $line = 0; @@ -297,7 +297,7 @@ else { if ($addrquery == '' || sizeof($res) == 0) { /* printf('<center><form method="post" name="k" action="compose.php">'."\n", $PHP_SELF); */ echo '<center>'. - addForm('compose.php','POST','k'); + addForm('compose.php','POST','k', '', '', '', TRUE); addr_insert_hidden(); echo '<input type="submit" value="' . _("Return") . '" name="return" />' . "\n" . '</form></center></nobr>'; diff -up squirrelmail-1.4.8/src/addressbook.php.secunia squirrelmail-1.4.8/src/addressbook.php --- squirrelmail-1.4.8/src/addressbook.php.secunia 2006-04-15 00:27:08.000000000 +0200 +++ squirrelmail-1.4.8/src/addressbook.php 2009-10-05 11:28:05.426108290 +0200 @@ -28,6 +28,9 @@ require_once(SM_PATH . 'functions/html.p require_once(SM_PATH . 'functions/forms.php'); /** lets get the global vars we may need */ +if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) { + $submitted_token = ''; +} sqgetGlobalVar('key', $key, SQ_COOKIE); sqgetGlobalVar('username', $username, SQ_SESSION); @@ -170,6 +173,9 @@ $form_url = 'addressbook.php'; /* Handle user's actions */ if(sqgetGlobalVar('REQUEST_METHOD', $req_method, SQ_SERVER) && $req_method == 'POST') { + // first, validate security token + sm_validate_security_token($submitted_token, 3600, TRUE); + /************************************************** * Add new address * **************************************************/ @@ -259,7 +265,7 @@ if(sqgetGlobalVar('REQUEST_METHOD', $req $olddata = $abook->lookup($enick, $ebackend); /* Display the "new address" form */ - echo addForm($form_url, 'post'). + echo addForm($form_url, 'post', '', '', '', '', TRUE). html_tag( 'table', html_tag( 'tr', html_tag( 'td', @@ -291,7 +297,7 @@ if(sqgetGlobalVar('REQUEST_METHOD', $req 'center', '', 'width="100%"' ); /* Display the "new address" form again */ - echo addForm($form_url, 'post'). + echo addForm($form_url, 'post', '', '', '', '', TRUE). html_tag( 'table', html_tag( 'tr', html_tag( 'td', @@ -364,7 +370,7 @@ if ($showaddrlist) { /* List addresses */ if (count($alist) > 0) { - echo addForm($form_url, 'post'); + echo addForm($form_url, 'post', 'address_book_form', '', '', '', TRUE); while(list($undef,$row) = each($alist)) { /* New table header for each backend */ @@ -478,7 +484,7 @@ if ($showaddrlist) { /* Display the "new address" form */ echo '<a name="AddAddress"></a>' . "\n" . - addForm($form_url, 'post', 'f_add'). + addForm($form_url, 'post', 'f_add', '', '', '', TRUE). html_tag( 'table', html_tag( 'tr', html_tag( 'td', "\n". '<strong>' . sprintf(_("Add to %s"), $abook->localbackendname) . '</strong>' . "\n", diff -up squirrelmail-1.4.8/src/compose.php.secunia squirrelmail-1.4.8/src/compose.php --- squirrelmail-1.4.8/src/compose.php.secunia 2009-10-05 11:28:05.323420793 +0200 +++ squirrelmail-1.4.8/src/compose.php 2009-10-05 11:28:05.427108454 +0200 @@ -59,6 +59,9 @@ if (isset($send) && $send) { $SQ_GLOBAL = SQ_FORM; } sqgetGlobalVar('smaction',$action, $SQ_GLOBAL); +if (!sqgetGlobalVar('smtoken',$submitted_token, $SQ_GLOBAL)) { + $submitted_token = ''; +} sqgetGlobalVar('session',$session, $SQ_GLOBAL); sqgetGlobalVar('mailbox',$mailbox, $SQ_GLOBAL); if ( !sqgetGlobalVar('identity',$identity, $SQ_GLOBAL) ) { @@ -358,6 +361,11 @@ if (!isset($mailbox) || $mailbox == '' | } if ($draft) { + + // validate security token + // + sm_validate_security_token($submitted_token, 3600, TRUE); + /* * Set $default_charset to correspond with the user's selection * of language interface. @@ -374,11 +382,11 @@ if ($draft) { if(isset($delete_draft)) { if ( !isset($pageheader_sent) || !$pageheader_sent ) { Header("Location: $location/delete_message.php?mailbox=" . urlencode($draft_folder) . - "&message=$delete_draft&sort=$sort&startMessage=1&saved_draft=yes"); + "&message=$delete_draft&sort=$sort&startMessage=1&saved_draft=yes&smtoken=" . sm_generate_security_token()); } else { echo ' <br><br><center><a href="' . $location . "/delete_message.php?mailbox=" . urlencode($draft_folder) - . "&message=$delete_draft&sort=$sort&startMessage=1&saved_draft=yes\">" + . "&message=$delete_draft&sort=$sort&startMessage=1&saved_draft=yes&smtoken=" . sm_generate_security_token() . "\">" . _("Return") . '</a></center>'; } exit(); @@ -411,6 +419,11 @@ if ($draft) { } if ($send) { + + // validate security token + // + sm_validate_security_token($submitted_token, 3600, TRUE); + if (isset($_FILES['attachfile']) && $_FILES['attachfile']['tmp_name'] && $_FILES['attachfile']['tmp_name'] != 'none') { @@ -471,7 +484,7 @@ if ($send) { /* if it is resumed draft, delete draft message */ if ( isset($delete_draft)) { Header("Location: $location/delete_message.php?mailbox=" . urlencode( $draft_folder ). - "&message=$delete_draft&sort=$sort&startMessage=1&mail_sent=yes"); + "&message=$delete_draft&sort=$sort&startMessage=1&mail_sent=yes&smtoken=" . sm_generate_security_token()); exit(); } if ($compose_new_win == '1') { @@ -498,6 +511,11 @@ if ($send) { /* sqimap_logout($imapConnection); */ } } elseif (isset($html_addr_search_done)) { + + // validate security token + // + sm_validate_security_token($submitted_token, 3600, TRUE); + if ($compose_new_win == '1') { compose_Header($color, $mailbox); } @@ -542,6 +560,11 @@ if ($send) { */ include_once('./addrbook_search_html.php'); } elseif (isset($attach)) { + + // validate security token + // + sm_validate_security_token($submitted_token, 3600, TRUE); + if (saveAttachedFiles($session)) { plain_error_message(_("Could not move/copy file. File not attached"), $color); } @@ -553,6 +576,10 @@ if ($send) { showInputForm($session); } elseif (isset($sigappend)) { + + // first do a security check + sm_validate_security_token($submitted_token, 3600, TRUE); + $idents = getPref($data_dir, $username, 'identities', 0); if ($idents > 1) { if ($identity == 'default') { @@ -570,6 +597,11 @@ elseif (isset($sigappend)) { } showInputForm($session); } elseif (isset($do_delete)) { + + // validate security token + // + sm_validate_security_token($submitted_token, 3600, TRUE); + if ($compose_new_win == '1') { compose_Header($color, $mailbox); } else { @@ -1028,6 +1060,7 @@ function showInputForm ($session, $value echo ">\n"; + echo addHidden('smtoken', sm_generate_security_token()); echo addHidden('startMessage', $startMessage); if ($action == 'draft') { diff -up squirrelmail-1.4.8/src/delete_message.php.secunia squirrelmail-1.4.8/src/delete_message.php --- squirrelmail-1.4.8/src/delete_message.php.secunia 2006-04-15 00:27:08.000000000 +0200 +++ squirrelmail-1.4.8/src/delete_message.php 2009-10-05 11:39:23.848483379 +0200 @@ -29,6 +29,9 @@ sqgetGlobalVar('onetimepad', $onetimepad sqgetGlobalVar('message', $message, SQ_GET); sqgetGlobalVar('mailbox', $mailbox, SQ_GET); +if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_GET)) { + $submitted_token = ''; +} /* end globals */ if (isset($_GET['saved_draft'])) { @@ -50,6 +53,9 @@ if (isset($_GET['startMessage'])) { $startMessage = (int) $_GET['startMessage']; } +// first, validate security token +sm_validate_security_token($submitted_token, 3600, TRUE); + $imapConnection = sqimap_login($username, $key, $imapServerAddress, $imapPort, 0); sqimap_mailbox_select($imapConnection, $mailbox); @@ -72,6 +78,7 @@ $location = get_location(); if (isset($where) && isset($what)) { header("Location: $location/search.php?where=" . $where . + '&smtoken=' . sm_generate_security_token() . '&what=' . $what . '&mailbox=' . urlencode($mailbox)); } else { if (!empty($saved_draft) || !empty($mail_sent)) { diff -up squirrelmail-1.4.8/src/folders_create.php.secunia squirrelmail-1.4.8/src/folders_create.php --- squirrelmail-1.4.8/src/folders_create.php.secunia 2006-08-05 13:08:55.000000000 +0200 +++ squirrelmail-1.4.8/src/folders_create.php 2009-10-05 11:28:05.427108454 +0200 @@ -35,8 +35,14 @@ sqgetGlobalVar('subfolder', $subfolde if (! sqgetGlobalVar('contain_subs', $contain_subs, SQ_POST)) { unset($contains_subs); } +if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) { + $submitted_token = ''; +} /* end of get globals */ +// first, validate security token +sm_validate_security_token($submitted_token, 3600, TRUE); + $folder_name = trim($folder_name); if (substr_count($folder_name, '"') || substr_count($folder_name, "\\") || diff -up squirrelmail-1.4.8/src/folders_delete.php.secunia squirrelmail-1.4.8/src/folders_delete.php --- squirrelmail-1.4.8/src/folders_delete.php.secunia 2006-02-03 23:27:55.000000000 +0100 +++ squirrelmail-1.4.8/src/folders_delete.php 2009-10-05 11:28:05.427108454 +0200 @@ -39,6 +39,9 @@ sqgetGlobalVar('username', $username, sqgetGlobalVar('onetimepad',$onetimepad, SQ_SESSION); sqgetGlobalVar('delimiter', $delimiter, SQ_SESSION); sqgetGlobalVar('mailbox', $mailbox, SQ_POST); +if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) { + $submitted_token = ''; +} /* end globals */ if ($mailbox == '') { @@ -66,7 +69,7 @@ if( !sqgetGlobalVar('confirmed', $tmp, S html_tag( 'tr' ) . html_tag( 'td', '', 'center', $color[4] ) . sprintf(_("Are you sure you want to delete %s?"), str_replace(array(' ','<','>'),array(' ','<','>'),imap_utf7_decode_local($mailbox))). - addForm('folders_delete.php', 'post')."<p>\n". + addForm('folders_delete.php', 'post', '', '', '', '', TRUE)."<p>\n". addHidden('mailbox', $mailbox). addSubmit(_("Yes"), 'confirmed'). addSubmit(_("No"), 'backingout'). @@ -75,6 +78,9 @@ if( !sqgetGlobalVar('confirmed', $tmp, S exit; } +// first, validate security token +sm_validate_security_token($submitted_token, 3600, TRUE); + $imap_stream = sqimap_login($username, $key, $imapServerAddress, $imapPort, 0); $boxes = sqimap_mailbox_list ($imap_stream); diff -up squirrelmail-1.4.8/src/folders.php.secunia squirrelmail-1.4.8/src/folders.php --- squirrelmail-1.4.8/src/folders.php.secunia 2006-04-15 00:27:08.000000000 +0200 +++ squirrelmail-1.4.8/src/folders.php 2009-10-05 11:28:05.427108454 +0200 @@ -100,7 +100,7 @@ echo html_tag( 'table', '', 'center', '' ) . html_tag( 'tr' ) . html_tag( 'td', '', 'center', $color[0] ) . - addForm('folders_create.php', 'POST', 'cf'). + addForm('folders_create.php', 'POST', 'cf', '', '', '', TRUE). addInput('folder_name', '', 25). "<br />\n". _("as a subfolder of"). '<br />'. "<tt><select name=\"subfolder\">\n"; @@ -260,7 +260,7 @@ echo html_tag( 'table', '', 'center', '' html_tag( 'td', '', 'center', $color[0], 'width="50%"' ); if ($count_special_folders < count($boxes)) { - echo addForm('folders_subscribe.php?method=unsub') + echo addForm('folders_subscribe.php?method=unsub', 'post', '', '', '', '', TRUE) . "<tt><select name=\"mailbox[]\" multiple=\"multiple\" size=\"8\">\n"; for ($i = 0; $i < count($boxes); $i++) { $use_folder = true; @@ -308,7 +308,7 @@ if(!$no_list_for_subscribe) { } if (count($box) > 0) { - echo addForm('folders_subscribe.php?method=sub') + echo addForm('folders_subscribe.php?method=sub', 'post', '', '', '', '', TRUE) . '<tt><select name="mailbox[]" multiple="multiple" size="8">'; for ($q = 0; $q < count($box); $q++) { @@ -323,7 +323,7 @@ if(!$no_list_for_subscribe) { } } else { /* don't perform the list action -- this is much faster */ - echo addForm('folders_subscribe.php?method=sub') + echo addForm('folders_subscribe.php?method=sub', 'post', '', '', '', '', TRUE) . _("Subscribe to:") . '<br />' . '<tt><input type="text" name="mailbox[]" size="35" />' . '<input type="submit" value="'. _("Subscribe") . "\" />\n" diff -up squirrelmail-1.4.8/src/folders_rename_do.php.secunia squirrelmail-1.4.8/src/folders_rename_do.php --- squirrelmail-1.4.8/src/folders_rename_do.php.secunia 2006-02-03 23:27:55.000000000 +0100 +++ squirrelmail-1.4.8/src/folders_rename_do.php 2009-10-05 11:28:05.428483276 +0200 @@ -33,8 +33,14 @@ sqgetGlobalVar('onetimepad',$onetimepad, sqgetGlobalVar('orig', $orig, SQ_POST); sqgetGlobalVar('old_name', $old_name, SQ_POST); sqgetGlobalVar('new_name', $new_name, SQ_POST); +if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) { + $submitted_token = ''; +} /* end globals */ +// first, validate security token +sm_validate_security_token($submitted_token, 3600, TRUE); + $new_name = trim($new_name); if (substr_count($new_name, '"') || substr_count($new_name, "\\") || diff -up squirrelmail-1.4.8/src/folders_rename_getname.php.secunia squirrelmail-1.4.8/src/folders_rename_getname.php --- squirrelmail-1.4.8/src/folders_rename_getname.php.secunia 2006-02-03 23:27:55.000000000 +0100 +++ squirrelmail-1.4.8/src/folders_rename_getname.php 2009-10-05 11:28:05.428483276 +0200 @@ -69,7 +69,7 @@ echo '<br />' . ) . html_tag( 'tr' ) . html_tag( 'td', '', 'center', $color[4] ) . - addForm('folders_rename_do.php'). + addForm('folders_rename_do.php', 'post', '', '', '', '', TRUE). _("New name:"). '<br /><b>' . htmlspecialchars($old_parent) . ' ' . htmlspecialchars($delimiter) . '</b>' . addInput('new_name', $old_name, 25) . '<br />' . "\n"; diff -up squirrelmail-1.4.8/src/folders_subscribe.php.secunia squirrelmail-1.4.8/src/folders_subscribe.php --- squirrelmail-1.4.8/src/folders_subscribe.php.secunia 2006-02-03 23:27:55.000000000 +0100 +++ squirrelmail-1.4.8/src/folders_subscribe.php 2009-10-05 11:28:05.428483276 +0200 @@ -31,8 +31,14 @@ sqgetGlobalVar('username', $username, sqgetGlobalVar('onetimepad',$onetimepad, SQ_SESSION); sqgetGlobalVar('method', $method, SQ_GET); sqgetGlobalVar('mailbox', $mailbox, SQ_POST); +if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) { + $submitted_token = ''; +} /* end globals */ +// first, validate security token +sm_validate_security_token($submitted_token, 3600, TRUE); + $location = get_location(); if (!isset($mailbox) || !isset($mailbox[0]) || $mailbox[0] == '') { diff -up squirrelmail-1.4.8/src/move_messages.php.secunia squirrelmail-1.4.8/src/move_messages.php --- squirrelmail-1.4.8/src/move_messages.php.secunia 2006-05-13 22:01:15.000000000 +0200 +++ squirrelmail-1.4.8/src/move_messages.php 2009-10-05 11:28:05.428483276 +0200 @@ -130,8 +130,14 @@ sqgetGlobalVar('markUnread', $markU sqgetGlobalVar('attache', $attache, SQ_POST); sqgetGlobalVar('location', $location, SQ_POST); +if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) { + $submitted_token = ''; +} /* end of get globals */ +// security check +sm_validate_security_token($submitted_token, 3600, TRUE); + $imapConnection = sqimap_login($username, $key, $imapServerAddress, $imapPort, 0); $mbx_response=sqimap_mailbox_select($imapConnection, $mailbox); diff -up squirrelmail-1.4.8/src/options_highlight.php.secunia squirrelmail-1.4.8/src/options_highlight.php --- squirrelmail-1.4.8/src/options_highlight.php.secunia 2006-04-15 00:27:08.000000000 +0200 +++ squirrelmail-1.4.8/src/options_highlight.php 2009-10-05 11:28:05.429483359 +0200 @@ -37,6 +37,9 @@ sqGetGlobalVar('color_type', $color_type sqGetGlobalVar('match_type', $match_type); sqGetGlobalVar('value', $value); +if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_FORM)) { + $submitted_token = ''; +} /* end of get globals */ function oh_opt( $val, $sel, $tit ) { @@ -56,6 +59,10 @@ if (! isset($message_highlight_list)) { if (isset($theid) && ($action == 'delete') || ($action == 'up') || ($action == 'down')) { + + // security check + sm_validate_security_token($submitted_token, 3600, TRUE); + $new_rules = array(); switch($action) { case('delete'): @@ -90,6 +97,9 @@ if (isset($theid) && ($action == 'delete exit; } else if ($action == 'save') { + // security check + sm_validate_security_token($submitted_token, 3600, TRUE); + if ($color_type == 1) $newcolor = $newcolor_choose; elseif ($color_type == 2) $newcolor = $newcolor_input; else $newcolor = $color_type; @@ -150,13 +160,13 @@ if ($mhl_count > 0) { $links = '<small>[<a href="options_highlight.php?action=edit&theid=' . $i . '">' . _("Edit") . - '</a>] [<a href="options_highlight.php?action=delete&theid='. $i . '">' . + '</a>] [<a href="options_highlight.php?action=delete&smtoken=' . sm_generate_security_token() . '&theid='. $i . '">' . _("Delete"); if($i > 0) { - $links .= '</a>] [<a href="options_highlight.php?action=up&theid='. $i . '">' . _("Up"); + $links .= '</a>] [<a href="options_highlight.php?action=up&smtoken=' . sm_generate_security_token() . '&theid='. $i . '">' . _("Up"); } if($i+1 < $mhl_count) { - $links .= '</a>] [<a href="options_highlight.php?action=down&theid='. $i . '">' . _("Down"); + $links .= '</a>] [<a href="options_highlight.php?action=down&smtoken=' . sm_generate_security_token() . '&theid='. $i . '">' . _("Down"); } $links .= '</a>]</small>'; @@ -361,7 +371,7 @@ if ($action == 'edit' || $action == 'add else if ($selected_choose == '') $selected_input = TRUE; - echo addForm('options_highlight.php', 'POST', 'f'). + echo addForm('options_highlight.php', 'POST', 'f', '', '', '', TRUE). addHidden('action', 'save'); if($action == 'edit') { echo addHidden('theid', (isset($theid)?$theid:'')); @@ -465,4 +475,4 @@ if ($action == 'edit' || $action == 'add } do_hook('options_highlight_bottom'); ?> -</table></body></html> \ No newline at end of file +</table></body></html> diff -up squirrelmail-1.4.8/src/options_identities.php.secunia squirrelmail-1.4.8/src/options_identities.php --- squirrelmail-1.4.8/src/options_identities.php.secunia 2006-06-12 19:54:46.000000000 +0200 +++ squirrelmail-1.4.8/src/options_identities.php 2009-10-05 11:28:05.429483359 +0200 @@ -24,6 +24,7 @@ require_once(SM_PATH . 'include/validate include_once(SM_PATH . 'functions/global.php'); include_once(SM_PATH . 'functions/display_messages.php'); include_once(SM_PATH . 'functions/html.php'); +include_once(SM_PATH . 'functions/forms.php'); include_once(SM_PATH . 'functions/identity.php'); /* make sure that page is not available when $edit_identity is false */ @@ -39,9 +40,16 @@ sqgetGlobalVar('newidentities', $newiden sqgetGlobalVar('smaction', $smaction, SQ_POST); sqgetGlobalVar('return', $return, SQ_POST); +if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) { + $submitted_token = ''; +} + // First lets see if there are any actions to perform // if (!empty($smaction) && is_array($smaction)) { + // first do a security check + sm_validate_security_token($submitted_token, 3600, TRUE); + $doaction = ''; $identid = 0; @@ -69,9 +77,9 @@ displayPageHeader($color, 'None'); do_hook('options_identities_top'); -$td_str = ''; -$td_str .= '<form name="f" action="options_identities.php" method="post"><br />' . "\n"; -$td_str .= '<table border="0" cellspacing="0" cellpadding="0" width="100%">' . "\n"; +$td_str = '<form name="f" action="options_identities.php" method="post"><br />' . "\n" + . addHidden('smtoken', sm_generate_security_token()) . "\n" + . '<table border="0" cellspacing="0" cellpadding="0" width="100%">' . "\n"; $cnt = count($identities); foreach( $identities as $iKey=>$ident ) { diff -up squirrelmail-1.4.8/src/options_order.php.secunia squirrelmail-1.4.8/src/options_order.php --- squirrelmail-1.4.8/src/options_order.php.secunia 2006-04-15 00:27:08.000000000 +0200 +++ squirrelmail-1.4.8/src/options_order.php 2009-10-05 11:28:05.429483359 +0200 @@ -25,6 +25,7 @@ require_once(SM_PATH . 'functions/displa require_once(SM_PATH . 'functions/imap.php'); require_once(SM_PATH . 'functions/plugin.php'); require_once(SM_PATH . 'functions/html.php'); +require_once(SM_PATH . 'functions/forms.php'); /* get globals */ sqgetGlobalVar('num', $num, SQ_GET); @@ -32,6 +33,9 @@ sqgetGlobalVar('add', $add, sqgetGlobalVar('submit', $submit); sqgetGlobalVar('method', $method); +if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) { + $submitted_token = ''; +} /* end of get globals */ displayPageHeader($color, 'None'); @@ -81,6 +85,10 @@ displayPageHeader($color, 'None'); } } else if ($method == 'add' && $add) { /* User should not be able to insert PHP-code here */ + + // first do a security check + sm_validate_security_token($submitted_token, 3600, TRUE); + $add = str_replace ('<?', '..', $add); $add = ereg_replace ('<.*script.*language.*php.*>', '..', $add); $add = str_replace ('<%', '..', $add); @@ -125,8 +133,9 @@ displayPageHeader($color, 'None'); } if (count($index_order) != count($available)) { - echo '<form name="f" method="post" action="options_order.php">'; - echo '<select name="add">'; + echo '<form name="f" method="post" action="options_order.php">' . "\n" + . addHidden('smtoken', sm_generate_security_token()) + . '<select name="add">' . "\n"; for ($i=1; $i <= count($available); $i++) { $found = false; for ($j=1; $j <= count($index_order); $j++) { diff -up squirrelmail-1.4.8/src/options.php.secunia squirrelmail-1.4.8/src/options.php --- squirrelmail-1.4.8/src/options.php.secunia 2006-04-15 00:27:08.000000000 +0200 +++ squirrelmail-1.4.8/src/options.php 2009-10-05 11:28:05.430483325 +0200 @@ -127,6 +127,9 @@ sqgetGlobalVar('delimiter', $delimiter, sqgetGlobalVar('optpage', $optpage); sqgetGlobalVar('optmode', $optmode, SQ_FORM); sqgetGlobalVar('optpage_data',$optpage_data, SQ_POST); +if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_FORM)) { + $submitted_token = ''; +} /* end of getting globals */ /* Make sure we have an Option Page set. Default to main. */ @@ -210,6 +213,12 @@ if ( !@is_file( $optpage_file ) ) { /*** Next, process anything that needs to be processed. ***/ /***********************************************************/ +// security check before saving anything... +//FIXME: what about SMOPT_MODE_LINK?? +if ($optmode == SMOPT_MODE_SUBMIT) { + sm_validate_security_token($submitted_token, 3600, TRUE); +} + // set empty error message $optpage_save_error=array(); @@ -408,7 +417,7 @@ if ($optpage == SMOPT_PAGE_MAIN) { /* If we are not looking at the main option page, display the page here. */ /*************************************************************************/ } else { - echo addForm('options.php', 'POST', 'f') + echo addForm('options.php', 'POST', 'f', '', '', '', TRUE) . create_optpage_element($optpage) . create_optmode_element(SMOPT_MODE_SUBMIT) . html_tag( 'table', '', '', '', 'width="100%" cellpadding="2" cellspacing="0" border="0"' ) . "\n" diff -up squirrelmail-1.4.8/src/read_body.php.secunia squirrelmail-1.4.8/src/read_body.php --- squirrelmail-1.4.8/src/read_body.php.secunia 2006-08-01 07:47:32.000000000 +0200 +++ squirrelmail-1.4.8/src/read_body.php 2009-10-05 11:28:05.430483325 +0200 @@ -502,7 +502,7 @@ function formatMenubar($mailbox, $passed $msgs_url = $base_uri . 'src/'; if (isset($where) && isset($what)) { - $msgs_url .= 'search.php?where=' . urlencode($where) . + $msgs_url .= 'search.php?smtoken=' . sm_generate_security_token() . '&where=' . urlencode($where) . '&what=' . urlencode($what) . '&mailbox=' . $urlMailbox; $msgs_str = _("Search Results"); } else { @@ -513,7 +513,7 @@ function formatMenubar($mailbox, $passed $s .= '<a href="' . $msgs_url . '">' . $msgs_str . '</a>'; $delete_url = $base_uri . 'src/delete_message.php?mailbox=' . $urlMailbox . - '&message=' . $passed_id . '&'; + '&message=' . $passed_id . '&smtoken=' . sm_generate_security_token() . '&'; if (!(isset($passed_ent_id) && $passed_ent_id)) { if ($where && $what) { $delete_url .= 'where=' . urlencode($where) . '&what=' . urlencode($what); diff -up squirrelmail-1.4.8/src/search.php.secunia squirrelmail-1.4.8/src/search.php --- squirrelmail-1.4.8/src/search.php.secunia 2006-07-27 20:58:48.000000000 +0200 +++ squirrelmail-1.4.8/src/search.php 2009-10-05 11:28:05.431483360 +0200 @@ -25,6 +25,7 @@ require_once(SM_PATH . 'functions/imap.p require_once(SM_PATH . 'functions/imap_search.php'); require_once(SM_PATH . 'functions/imap_mailbox.php'); require_once(SM_PATH . 'functions/strings.php'); +require_once(SM_PATH . 'functions/forms.php'); global $allow_thread_sort; @@ -60,6 +61,9 @@ if (sqgetGlobalVar('count',$count,SQ_GET } else { unset($count); } +if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_GET)) { + $submitted_token = ''; +} /* end of get globals */ /* here are some functions, could go in imap_search.php @@ -210,7 +214,7 @@ function save_recent($save_index, $usern function printSearchMessages($msgs,$mailbox, $cnt, $imapConnection, $where, $what, $usecache = false, $newsort = false) { global $sort, $color, $allow_server_sort, $allow_server_thread; - + if ($cnt > 0) { if ((!empty($allow_server_sort) && $allow_server_sort) || (!empty($allow_server_thread) && $allow_server_thread)) { $msort = $msgs; @@ -232,11 +236,11 @@ function printSearchMessages($msgs,$mail echo '<table border="0" width="100%" cellpadding="0" cellspacing="0">'; echo '<tr><td>'; - mail_message_listing_beginning($imapConnection, $mailbox, $sort, + mail_message_listing_beginning($imapConnection, $mailbox, $sort, $msg_cnt_str, $toggle_all, 1); echo '</td></tr>'; - echo '<tr><td height="5" bgcolor="'.$color[4].'"></td></tr>'; + echo '<tr><td height="5" bgcolor="'.$color[4].'"></td></tr>'; echo '<tr><td>'; echo ' <table width="100%" cellpadding="1" cellspacing="0" align="center"'.' border="0" bgcolor="'.$color[9].'">'; echo ' <tr><td>'; @@ -288,6 +292,11 @@ if (empty($submit) && !empty($what)) { $submit = _("Search"); } +// need to verify security token if user wants to do anything +if (!empty($submit)) { + sm_validate_security_token($submitted_token, 3600, TRUE); +} + if ($submit == _("Search") && !empty($what)) { if ($recent_count > 0) { update_recent($what, $where, $mailbox, $username, $data_dir); @@ -345,6 +354,7 @@ if ($saved_count > 0) { . '?mailbox=' . urlencode($saved_attributes['saved_folder'][$i + 1]) . '&what=' . urlencode($saved_attributes['saved_what'][$i + 1]) . '&where=' . urlencode($saved_attributes['saved_where'][$i + 1]) + . '&smtoken=' . sm_generate_security_token() . '">' . _("edit") . '</a>' . ' | ' . '<a href="search.php' @@ -352,9 +362,10 @@ if ($saved_count > 0) { . '&what=' . urlencode($saved_attributes['saved_what'][$i + 1]) . '&where=' . urlencode($saved_attributes['saved_where'][$i + 1]) . '&submit=Search_no_update' + . '&smtoken=' . sm_generate_security_token() . '">' . _("search") . '</a>' . ' | ' - . "<a href=\"search.php?count=$i&submit=delete\">" + . "<a href=\"search.php?count=$i&submit=delete&smtoken=" . sm_generate_security_token() .'">' . _("delete") . '</a>' . '</td></tr>'; @@ -372,7 +383,7 @@ if ($recent_count > 0) { . html_tag( 'td' ) . html_tag( 'table', '', 'center', '', 'width="100%" cellpadding="0" cellspacing="0" border="0"' ); for ($i=1; $i <= $recent_count; ++$i) { - if (isset($attributes['search_folder'][$i])) { + if (isset($attributes['search_folder'][$i])) { if ($attributes['search_folder'][$i] == "") { $attributes['search_folder'][$i] = "INBOX"; } @@ -388,7 +399,7 @@ if ($recent_count > 0) { . html_tag( 'td', htmlspecialchars($attributes['search_what'][$i]), 'left' ) . html_tag( 'td', htmlspecialchars($attributes['search_where'][$i]), 'center' ) . html_tag( 'td', '', 'right' ) - . "<a href=\"search.php?count=$i&submit=save\">" + . "<a href=\"search.php?count=$i&submit=save&smtoken=" . sm_generate_security_token() . '">' . _("save") . '</a>' . ' | ' @@ -397,9 +408,10 @@ if ($recent_count > 0) { . '&what=' . urlencode($attributes['search_what'][$i]) . '&where=' . urlencode($attributes['search_where'][$i]) . '&submit=Search_no_update' + . '&smtoken=' . sm_generate_security_token() . '">' . _("search") . '</a>' . ' | ' - . "<a href=\"search.php?count=$i&submit=forget\">" + . "<a href=\"search.php?count=$i&submit=forget&smtoken=" . sm_generate_security_token() . '">' . _("forget") . '</a>' . '</td></tr>'; @@ -436,6 +448,7 @@ if( substr( phpversion(), 0, 3 ) == '4.1 /* Search Form */ echo html_tag( 'div', '<b>' . _("Current Search") . '</b>', 'left' ) . "\n" . '<form action="search.php" name="s">' + . addHidden('smtoken', sm_generate_security_token()) . html_tag( 'table', '', '', '', 'width="95%" cellpadding="0" cellspacing="0" border="0"' ) . html_tag( 'tr' ) . html_tag( 'td', '', 'left' ) diff -up squirrelmail-1.4.8/src/vcard.php.secunia squirrelmail-1.4.8/src/vcard.php --- squirrelmail-1.4.8/src/vcard.php.secunia 2006-04-15 00:27:08.000000000 +0200 +++ squirrelmail-1.4.8/src/vcard.php 2009-10-05 11:28:05.431483360 +0200 @@ -152,6 +152,7 @@ echo '</table>' . '</td></tr>' . '<tr><td align="center">' . '<form action="../src/addressbook.php" method="post" name="f_add">' . + '<input type="hidden" name="smtoken" value="' . sm_generate_security_token() . '" />' . '<table border="0" cellpadding="2" cellspacing="0" align="center">' . '<tr><td align="right"><b>' . _("Nickname") . ':</b></td>' . '<td>' . @@ -233,4 +234,4 @@ echo '<a href="../src/download.php?absol <table border="0" cellspacing="0" cellpadding="2" align="center"> <tr><td bgcolor="<?php echo $color[4]; ?>"> </td></tr></table> -</body></html> \ No newline at end of file +</body></html>