diff -up squirrelmail-1.4.8/config/conf.pl.secunia squirrelmail-1.4.8/config/conf.pl
--- squirrelmail-1.4.8/config/conf.pl.secunia 2009-10-05 11:28:05.331426301 +0200
+++ squirrelmail-1.4.8/config/conf.pl 2009-10-05 11:28:05.423471058 +0200
@@ -336,6 +336,10 @@ if ( !$sendmail_args && $sendmail_path =
# Added in 1.4.16
$only_secure_cookies = 'true' if ( !$only_secure_cookies );
+# Added in 1.4.20RC1
+$disable_security_tokens = 'false' if ( !$disable_security_tokens );
+$check_referrer = '' if ( !$check_referrer );
+
if ( $ARGV[0] eq '--install-plugin' ) {
print "Activating plugin " . $ARGV[1] . "\n";
push @plugins, $ARGV[1];
@@ -508,6 +512,8 @@ while ( ( $command ne "q" ) && ( $comman
print "14. PHP session name : $WHT$session_name$NRM\n";
print "15. Location base : $WHT$config_location_base$NRM\n";
print "16. Only secure cookies if poss. : $WHT$only_secure_cookies$NRM\n";
+ print "17. Disable secure forms : $WHT$disable_security_tokens$NRM\n";
+ print "18. Page referal requirement : $WHT$check_referrer$NRM\n";
print "\n";
print "R Return to Main Menu\n";
} elsif ( $menu == 5 ) {
@@ -723,6 +729,8 @@ while ( ( $command ne "q" ) && ( $comman
elsif ( $command == 14 ) { $session_name = command314(); }
elsif ( $command == 15 ) { $config_location_base = command_config_location_base(); }
elsif ( $command == 16 ) { $only_secure_cookies = command316(); }
+ elsif ( $command == 17 ) { $disable_security_tokens = command317(); }
+ elsif ( $command == 18 ) { $check_referrer = command318(); }
} elsif ( $menu == 5 ) {
if ( $command == 1 ) { command41(); }
elsif ( $command == 2 ) { $theme_css = command42(); }
@@ -2303,6 +2311,63 @@ sub command316 {
+# disable_security_tokens (since 1.4.20RC1)
+sub command317 {
+ print "This option allows you to turn off the security checks in the forms\n";
+ print "that SquirrelMail generates. It is NOT RECOMMENDED that you disable\n";
+ print "this feature - otherwise, your users may be exposed to phishing and\n";
+ print "other attacks.\n";
+ print "Unless you know what you are doing, you should leave this set to \"NO\".\n";
+ print "\n";
+
+ if ( lc($disable_security_tokens) eq 'true' ) {
+ $default_value = "y";
+ } else {
+ $default_value = "n";
+ }
+ print "Disable secure forms? (y/n) [$WHT$default_value$NRM]: $WHT";
+ $disable_security_tokens = <STDIN>;
+ if ( ( $disable_security_tokens =~ /^y\n/i ) || ( ( $disable_security_tokens =~ /^\n/ ) && ( $default_value eq "y" ) ) ) {
+ $disable_security_tokens = 'true';
+ } else {
+ $disable_security_tokens = 'false';
+ }
+ return $disable_security_tokens;
+}
+
+
+
+# check_referrer (since 1.4.20RC1)
+sub command318 {
+ print "This option allows you to enable referal checks for all page requests\n";
+ print "made to SquirrelMail. This can help ensure that page requests came\n";
+ print "from the same server and not from an attacker's site (usually the\n";
+ print "result of a XSS or phishing attack). To enable referal checking,\n";
+ print "this setting can be set to the domain where your SquirrelMail is\n";
+ print "being hosted (usually the same as the Domain setting under Server\n";
+ print "Settings). For example, it could be \"example.com\", or if you\n";
+ print "use a plugin (such as Login Manager) to host SquirrelMail on more\n";
+ print "than one domain, you can set this to \"###DOMAIN###\" to tell it\n";
+ print "to use the current domain.\n";
+ print "\n";
+ print "However, in some cases (where proxy servers are in use, etc.), the\n";
+ print "domain might be different.\n";
+ print "\n";
+ print "NOTE that referal checks are not foolproof - they can be spoofed by\n";
+ print "browsers, and some browsers intentionally don't send referal\n";
+ print "information (in which case, the check is silently bypassed)\n";
+ print "\n";
+
+ print "Referal requirement? [$WHT$check_referrer$NRM]: $WHT";
+ $new_check_referrer = <STDIN>;
+ chomp($new_check_referrer);
+ $check_referrer = $new_check_referrer;
+
+ return $check_referrer;
+}
+
+
+
####################################################################################
#### THEMES ####
sub command41 {
@@ -3277,10 +3342,14 @@ sub save_data {
print CF "\$session_name = '$session_name';\n";
# boolean
- print CF "\$only_secure_cookies = $only_secure_cookies;\n";
+ print CF "\$only_secure_cookies = $only_secure_cookies;\n";
+ print CF "\$disable_security_tokens = $disable_security_tokens;\n";
+
+ # string
+ print CF "\$check_referrer = '$check_referrer';\n";
print CF "\n";
- print CF "\$config_location_base = '$config_location_base';\n";
+ print CF "\$config_location_base = '$config_location_base';\n";
print CF "\n";
print CF "\@include SM_PATH . 'config/config_local.php';\n";
diff -up squirrelmail-1.4.8/functions/auth.php.secunia squirrelmail-1.4.8/functions/auth.php
--- squirrelmail-1.4.8/functions/auth.php.secunia 2006-08-03 16:48:09.000000000 +0200
+++ squirrelmail-1.4.8/functions/auth.php 2009-10-05 11:28:05.424171414 +0200
@@ -33,17 +33,59 @@ if (! isset($use_smtp_tls)) {
* Check if user has previously logged in to the SquirrelMail session. If user
* has not logged in, execution will stop inside this function.
*
+ * This function optionally checks the referrer of this page request. If the
+ * administrator wants to impose a check that the referrer of this page request
+ * is another page on the same domain (otherwise, the page request is likely
+ * the result of a XSS or phishing attack), then they need to specify the
+ * acceptable referrer domain in a variable named $check_referrer in
+ * config/config.php (or the configuration tool) for which the value is
+ * usually the same as the $domain setting (for example:
+ * $check_referrer = 'example.com';
+ * However, in some cases (where proxy servers are in use, etc.), the
+ * acceptable referrer might be different. If $check_referrer is set to
+ * "###DOMAIN###", then the current value of $domain is used (useful in
+ * situations where $domain might change at runtime (when using the Login
+ * Manager plugin to host multiple domains with one SquirrelMail installation,
+ * for example)):
+ * $check_referrer = '###DOMAIN###';
+ * NOTE HOWEVER, that referrer checks are not foolproof - they can be spoofed
+ * by browsers, and some browsers intentionally don't send them, in which
+ * case SquirrelMail silently ignores referrer checks.
+ *
* @return int A positive value is returned if user has previously logged in
* successfully.
*/
function is_logged_in() {
- if ( sqsession_is_registered('user_is_logged_in') ) {
+ // check for user login as well as referrer if needed
+ //
+ global $check_referrer, $domain;
+ if ($check_referrer == '###DOMAIN###') $check_referrer = $domain;
+ if (!empty($check_referrer)) {
+ $ssl_check_referrer = 'https://' . $check_referrer;
+ $check_referrer = 'http://' . $check_referrer;
+ }
+ if (!sqgetGlobalVar('HTTP_REFERER', $referrer, SQ_SERVER)) $referrer = '';
+ if (sqsession_is_registered('user_is_logged_in')
+ && (!$check_referrer || empty($referrer)
+ || ($check_referrer && !empty($referrer)
+ && (strpos(strtolower($referrer), strtolower($check_referrer)) === 0
+ || strpos(strtolower($referrer), strtolower($ssl_check_referrer)) === 0)))) {
return;
} else {
+
global $PHP_SELF, $HTTP_POST_VARS, $_POST, $session_expired_post,
$session_expired_location, $squirrelmail_language;
+ // use $message to indicate what logout text the user
+ // will see... if 0, typical "You must be logged in"
+ // if 1, information that the user session was saved
+ // and will be resumed after (re)login, if 2, there
+ // seems to have been a XSS or phishing attack (bad
+ // referrer)
+ //
+ $message = 0;
+
// First we store some information in the new session to prevent
// information-loss.
//
@@ -55,11 +97,19 @@ function is_logged_in() {
$session_expired_location = $PHP_SELF;
if (!sqsession_is_registered('session_expired_post')) {
sqsession_register($session_expired_post,'session_expired_post');
+ $message = 1;
}
if (!sqsession_is_registered('session_expired_location')) {
sqsession_register($session_expired_location,'session_expired_location');
+ $message = 1;
}
+ // was bad referrer the reason we were rejected?
+ //
+ if (sqsession_is_registered('user_is_logged_in')
+ && $check_referrer && !empty($referrer))
+ $message = 2;
+
session_write_close();
// signout page will deal with users who aren't logged
@@ -71,7 +121,12 @@ function is_logged_in() {
include_once( SM_PATH . 'functions/display_messages.php' );
set_up_language($squirrelmail_language, true);
- logout_error( _("You must be logged in to access this page.") );
+ if (!$message)
+ logout_error( _("You must be logged in to access this page.") );
+ else if ($message == 1)
+ logout_error( _("Your session has expired, but will be resumed after logging in again.") );
+ else if ($message == 2)
+ logout_error( _("The current page request appears to have originated from an unrecognized source.") );
exit;
}
}
diff -up squirrelmail-1.4.8/functions/forms.php.secunia squirrelmail-1.4.8/functions/forms.php
--- squirrelmail-1.4.8/functions/forms.php.secunia 2006-04-15 00:27:07.000000000 +0200
+++ squirrelmail-1.4.8/functions/forms.php 2009-10-05 11:28:05.424171414 +0200
@@ -131,8 +131,24 @@ function addTextArea($name, $text = '',
/**
* Make a <form> start-tag.
+ *
+ * @param string $action
+ * @param string $method
+ * @param string $name
+ * @param string $enctype
+ * @param string $charset
+ * @param string $extra Any other attributes can be added with this parameter;
+ * they should use double quotes around attribute values
+ * (OPTIONAL; default empty)
+ * @param mixed $add_token When given as a string or as boolean TRUE, a hidden
+ * input is also added to the form containing a security
+ * token. When given as TRUE, the input name is "smtoken";
+ * otherwise the name is the string that is given for this
+ * parameter. When FALSE, no hidden token input field is
+ * added. (OPTIONAL; default not used)
+ *
*/
-function addForm($action, $method = 'post', $name = '', $enctype = '', $charset = '')
+function addForm($action, $method = 'post', $name = '', $enctype = '', $charset = '', $extra = '', $add_token = FALSE)
{
if($name) {
$name = ' name="'.$name.'"';
@@ -144,8 +160,16 @@ function addForm($action, $method = 'pos
$charset = ' accept-charset="'.htmlspecialchars($charset).'"';
}
- return '<form action="'. $action .'" method="'. $method .'"'.
- $enctype . $name . $charset . ">\n";
+ $form_string = '<form action="'. $action .'" method="'. $method .'"'.
+ $enctype . $name . $charset . ' ' . $extra . " >\n";
+
+ if($add_token) {
+ $form_string .= '<input type="hidden" value="' . sm_generate_security_token()
+ . '" name="' . (is_string($add_token) ? $add_token : 'smtoken')
+ . "\" />\n";
+ }
+
+ return $form_string;
}
?>
\ No newline at end of file
diff -up squirrelmail-1.4.8/functions/mailbox_display.php.secunia squirrelmail-1.4.8/functions/mailbox_display.php
--- squirrelmail-1.4.8/functions/mailbox_display.php.secunia 2009-10-05 11:35:48.774112071 +0200
+++ squirrelmail-1.4.8/functions/mailbox_display.php 2009-10-05 11:35:48.823483476 +0200
@@ -316,7 +316,7 @@ function getServerMessages($imapConnecti
$end_loop = $num_msgs - $start_msg + 1;
} else {
$end_loop = $show_num;
- }
+ }
return fillMessageArray($imapConnection,$id,$end_loop,$show_num);
} else {
return false;
@@ -367,7 +367,7 @@ function getSelfSortMessages($imapConnec
} else {
$end_loop = $show_num;
}
- }
+ }
$msgs = fillMessageArray($imapConnection,$id,$end_loop, $show_num);
}
return $msgs;
@@ -441,7 +441,7 @@ function showMessagesForMailbox($imapCon
sqgetGlobalVar('msort', $msort, SQ_SESSION);
} else {
sqsession_unregister('msort');
- sqsession_unregister('msgs');
+ sqsession_unregister('msgs');
}
switch ($mode) {
case 'thread':
@@ -694,6 +694,7 @@ function mail_message_listing_beginning
$msg = '';
}
$moveFields = '<input type="hidden" name="msg" value="'.htmlspecialchars($msg).'">' . "\n" .
+ '<input type="hidden" name="smtoken" value="'.sm_generate_security_token().'">' . "\n" .
'<input type="hidden" name="mailbox" value="'.htmlspecialchars($mailbox).'">' . "\n" .
'<input type="hidden" name="startMessage" value="'.htmlspecialchars($start_msg).'">' . "\n";
diff -up squirrelmail-1.4.8/functions/strings.php.secunia squirrelmail-1.4.8/functions/strings.php
--- squirrelmail-1.4.8/functions/strings.php.secunia 2009-10-05 11:28:05.332426078 +0200
+++ squirrelmail-1.4.8/functions/strings.php 2009-10-05 11:28:05.425171187 +0200
@@ -858,6 +858,188 @@ function sq_trim_value ( &$value ) {
$value = trim($value);
}
+/**
+ * Gathers the list of secuirty tokens currently
+ * stored in the user's preferences and optionally
+ * purges old ones from the list.
+ *
+ * @param boolean $purge_old Indicates if old tokens
+ * should be purged from the
+ * list ("old" is 30 days or
+ * older unless the administrator
+ * overrides that value using
+ * $max_security_token_age in
+ * config/config_local.php)
+ * (OPTIONAL; default is to always
+ * purge old tokens)
+ *
+ * @return array The list of tokens
+ *
+ * @since 1.4.19 and 1.5.2
+ *
+ */
+function sm_get_user_security_tokens($purge_old=TRUE)
+{
+
+ global $data_dir, $username, $max_token_age_days;
+
+ $tokens = getPref($data_dir, $username, 'security_tokens', '');
+ if (($tokens = unserialize($tokens)) === FALSE || !is_array($tokens))
+ $tokens = array();
+
+ // purge old tokens if necessary
+ //
+ if ($purge_old)
+ {
+ if (empty($max_token_age_days)) $max_token_age_days = 30;
+ $now = time();
+ $discard_token_date = $now - ($max_token_age_days * 86400);
+ $cleaned_tokens = array();
+ foreach ($tokens as $token => $timestamp)
+ if ($timestamp >= $discard_token_date)
+ $cleaned_tokens[$token] = $timestamp;
+ $tokens = $cleaned_tokens;
+ }
+
+ return $tokens;
+
+}
+
+/**
+ * Generates a security token that is then stored in
+ * the user's preferences with a timestamp for later
+ * verification/use.
+ *
+ * WARNING: If the administrator has turned the token system
+ * off by setting $disable_security_tokens to TRUE in
+ * config/config.php or the configuration tool, this
+ * function will not store tokens in the user
+ * preferences (but it will still generate and return
+ * a random string).
+ *
+ * @return void
+ *
+ * @since 1.4.19 and 1.5.2
+ *
+ */
+function sm_generate_security_token()
+{
+
+ global $data_dir, $username, $disable_security_tokens;
+ $max_generation_tries = 1000;
+
+ $tokens = sm_get_user_security_tokens();
+
+ $new_token = GenerateRandomString(12, '', 7);
+ $count = 0;
+ while (isset($tokens[$new_token]))
+ {
+ $new_token = GenerateRandomString(12, '', 7);
+ if (++$count > $max_generation_tries)
+ {
+ logout_error(_("Fatal token generation error; please contact your system administrator or the SquirrelMail Team"));
+ exit;
+ }
+ }
+
+ // is the token system enabled? CAREFUL!
+ //
+ if (!$disable_security_tokens)
+ {
+ $tokens[$new_token] = time();
+ setPref($data_dir, $username, 'security_tokens', serialize($tokens));
+ }
+
+ return $new_token;
+
+}
+
+/**
+ * Validates a given security token and optionally remove it
+ * from the user's preferences if it was valid. If the token
+ * is too old but otherwise valid, it will still be rejected.
+ *
+ * "Too old" is 30 days or older unless the administrator
+ * overrides that value using $max_security_token_age in
+ * config/config_local.php
+ *
+ * WARNING: If the administrator has turned the token system
+ * off by setting $disable_security_tokens to TRUE in
+ * config/config.php or the configuration tool, this
+ * function will always return TRUE.
+ *
+ * @param string $token The token to validate
+ * @param int $validity_period The number of seconds tokens are valid
+ * for (set to zero to remove valid tokens
+ * after only one use; use 3600 to allow
+ * tokens to be reused for an hour)
+ * (OPTIONAL; default is to only allow tokens
+ * to be used once)
+ * @param boolean $show_error Indicates that if the token is not
+ * valid, this function should display
+ * a generic error, log the user out
+ * and exit - this function will never
+ * return in that case.
+ * (OPTIONAL; default FALSE)
+ *
+ * @return boolean TRUE if the token validated; FALSE otherwise
+ *
+ * @since 1.4.19 and 1.5.2
+ *
+ */
+function sm_validate_security_token($token, $validity_period=0, $show_error=FALSE)
+{
+
+ global $data_dir, $username, $max_token_age_days,
+ $disable_security_tokens;
+
+ // bypass token validation? CAREFUL!
+ //
+ if ($disable_security_tokens) return TRUE;
+
+ // don't purge old tokens here because we already
+ // do it when generating tokens
+ //
+ $tokens = sm_get_user_security_tokens(FALSE);
+
+ // token not found?
+ //
+ if (empty($tokens[$token]))
+ {
+ if (!$show_error) return FALSE;
+ logout_error(_("This page request could not be verified and appears to have expired."));
+ exit;
+ }
+
+ $now = time();
+ $timestamp = $tokens[$token];
+
+ // whether valid or not, we want to remove it from
+ // user prefs if it's old enough
+ //
+ if ($timestamp < $now - $validity_period)
+ {
+ unset($tokens[$token]);
+ setPref($data_dir, $username, 'security_tokens', serialize($tokens));
+ }
+
+ // reject tokens that are too old
+ //
+ if (empty($max_token_age_days)) $max_token_age_days = 30;
+ $old_token_date = $now - ($max_token_age_days * 86400);
+ if ($timestamp < $old_token_date)
+ {
+ if (!$show_error) return FALSE;
+ logout_error(_("The current page request appears to have originated from an untrusted source."));
+ exit;
+ }
+
+ // token OK!
+ //
+ return TRUE;
+
+}
+
$PHP_SELF = php_self();
?>
diff -up squirrelmail-1.4.8/plugins/delete_move_next/setup.php.secunia squirrelmail-1.4.8/plugins/delete_move_next/setup.php
--- squirrelmail-1.4.8/plugins/delete_move_next/setup.php.secunia 2006-06-08 16:59:19.000000000 +0200
+++ squirrelmail-1.4.8/plugins/delete_move_next/setup.php 2009-10-05 11:28:05.425171187 +0200
@@ -184,13 +184,13 @@ function delete_move_next_read($currloc)
"<td bgcolor=\"$color[9]\" width=\"100%\" align=\"center\"><small>";
if ($prev > 0){
- echo "<a href=\"read_body.php?passed_id=$prev_if_del&mailbox=$urlMailbox&sort=$sort&startMessage=$startMessage&show_more=0&delete_id=$passed_id\">" . _("Delete & Prev") . "</a>" . " | \n";
+ echo "<a href=\"read_body.php?passed_id=$prev_if_del&mailbox=$urlMailbox&sort=$sort&startMessage=$startMessage&show_more=0&delete_id=$passed_id&smtoken=" . sm_generate_security_token() . "\">" . _("Delete & Prev") . "</a>" . " | \n";
}
else {
echo _("Delete & Prev") . " | ";
}
if ($next > 0){
- echo "<a href=\"read_body.php?passed_id=$next_if_del&mailbox=$urlMailbox&sort=$sort&startMessage=$startMessage&show_more=0&delete_id=$passed_id\">" . _("Delete & Next") . "</a>\n";
+ echo "<a href=\"read_body.php?passed_id=$next_if_del&mailbox=$urlMailbox&sort=$sort&startMessage=$startMessage&show_more=0&delete_id=$passed_id&smtoken=" . sm_generate_security_token() . "\">" . _("Delete & Next") . "</a>\n";
} else {
echo _("Delete & Next");
}
@@ -240,6 +240,7 @@ function delete_move_next_moveNextForm($
"<form action=\"read_body.php?mailbox=$urlMailbox&sort=$sort&startMessage=$startMessage&passed_id=$next\" method=\"post\"><small>".
"<input type=\"hidden\" name=\"show_more\" value=\"0\">".
"<input type=\"hidden\" name=\"move_id\" value=\"$passed_id\">".
+ "<input type=\"hidden\" name=\"smtoken\" value=\"" . sm_generate_security_token() . "\">".
_("Move to:") .
' <select name="targetMailbox">';
get_move_target_list();
@@ -263,6 +264,7 @@ function delete_move_next_moveRightMainF
"<td bgcolor=\"$color[9]\" width=\"100%\" align=\"center\">".
"<form action=\"right_main.php?mailbox=$urlMailbox&sort=$sort&startMessage=$startMessage\" method=\"post\"><small>" .
"<input type=\"hidden\" name=\"move_id\" value=\"$passed_id\">".
+ "<input type=\"hidden\" name=\"smtoken\" value=\"" . sm_generate_security_token() . "\">".
_("Move to:") .
' <select name="targetMailbox">';
get_move_target_list();
@@ -279,6 +281,12 @@ function delete_move_next_delete() {
sqgetGlobalVar('delete_id', $delete_id, SQ_GET);
sqgetGlobalVar('mailbox', $mailbox, SQ_GET);
+ if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_GET)) {
+ $submitted_token = '';
+ }
+
+ // first, validate security token
+ sm_validate_security_token($submitted_token, 3600, TRUE);
sqimap_messages_delete($imapConnection, $delete_id, $delete_id, $mailbox);
if ($auto_expunge) {
@@ -294,6 +302,13 @@ function delete_move_next_move() {
sqgetGlobalVar('mailbox', $mailbox, SQ_FORM);
sqgetGlobalVar('targetMailbox', $targetMailbox, SQ_POST);
+ if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) {
+ $submitted_token = '';
+ }
+
+ // first, validate security token
+ sm_validate_security_token($submitted_token, 3600, TRUE);
+
// Move message
sqimap_messages_copy($imapConnection, $move_id, $move_id, $targetMailbox);
sqimap_messages_flag($imapConnection, $move_id, $move_id, 'Deleted', true);
diff -up squirrelmail-1.4.8/plugins/newmail/newmail_opt.php.secunia squirrelmail-1.4.8/plugins/newmail/newmail_opt.php
--- squirrelmail-1.4.8/plugins/newmail/newmail_opt.php.secunia 2009-10-05 11:40:03.240113790 +0200
+++ squirrelmail-1.4.8/plugins/newmail/newmail_opt.php 2009-10-05 11:40:03.296108415 +0200
@@ -69,6 +69,7 @@ echo '</td></tr>' .
html_tag( 'td', '', 'center', $color[4] ) . "\n" . '<hr style="width: 25%; height: 1px;" />' . "\n";
echo '<form action="'.sqm_baseuri().'src/options.php" method="post">' . "\n" .
+ '<input type="hidden" name="smtoken" value="' . sm_generate_security_token() . '">' . "\n" .
html_tag( 'table', '', '', '', 'width="100%" cellpadding="5" cellspacing="0" border="0"' ) . "\n";
// Option: media_allbox
diff -up squirrelmail-1.4.8/plugins/spamcop/spamcop.php.secunia squirrelmail-1.4.8/plugins/spamcop/spamcop.php
--- squirrelmail-1.4.8/plugins/spamcop/spamcop.php.secunia 2009-10-05 11:43:40.065113645 +0200
+++ squirrelmail-1.4.8/plugins/spamcop/spamcop.php 2009-10-05 11:43:40.122358477 +0200
@@ -153,6 +153,7 @@ echo "</p>";
$report_email = 'quick.' . $spamcop_id . '@spam.spamcop.net';
$form_action = SM_PATH . 'src/compose.php';
?> <form method="post" action="<?PHP echo $form_action?>">
+ <input type="hidden" name="smtoken" value="<?php echo sm_generate_security_token(); ?>" />
<input type="hidden" name="mailbox" value="<?PHP echo htmlspecialchars($mailbox) ?>" />
<input type="hidden" name="spamcop_is_composing" value="<?PHP echo htmlspecialchars($passed_id) ?>" />
<input type="hidden" name="send_to" value="<?PHP echo htmlspecialchars($report_email)?>" />
diff -up squirrelmail-1.4.8/plugins/squirrelspell/modules/lang_setup.mod.secunia squirrelmail-1.4.8/plugins/squirrelspell/modules/lang_setup.mod
--- squirrelmail-1.4.8/plugins/squirrelspell/modules/lang_setup.mod.secunia 2009-10-05 11:41:37.842483368 +0200
+++ squirrelmail-1.4.8/plugins/squirrelspell/modules/lang_setup.mod 2009-10-05 11:42:35.003420972 +0200
@@ -16,6 +16,11 @@
* @subpackage squirrelspell
*/
+if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) {
+ $submitted_token = '';
+}
+sm_validate_security_token($submitted_token, 3600, TRUE);
+
global $SQSPELL_APP;
$msg = '<p>'
@@ -23,6 +28,7 @@ $msg = '<p>'
. '</p>'
. '<form method="post">'
. '<input type="hidden" name="MOD" value="lang_change" />'
+ . '<input type="hidden" name="smtoken" value="' . sm_generate_security_token() . '" />'
. '<blockquote><p>';
/**
* Present a nice listing.
diff -up squirrelmail-1.4.8/src/addrbook_search_html.php.secunia squirrelmail-1.4.8/src/addrbook_search_html.php
--- squirrelmail-1.4.8/src/addrbook_search_html.php.secunia 2006-04-15 00:27:08.000000000 +0200
+++ squirrelmail-1.4.8/src/addrbook_search_html.php 2009-10-05 11:28:05.425171187 +0200
@@ -72,7 +72,7 @@ function addr_display_result($res, $incl
if (sizeof($res) <= 0) return;
- echo addForm($PHP_SELF, 'POST', 'addrbook').
+ echo addForm($PHP_SELF, 'POST', 'addrbook', '', '', '', TRUE).
addHidden('html_addr_search_done', 'true');
addr_insert_hidden();
$line = 0;
@@ -297,7 +297,7 @@ else {
if ($addrquery == '' || sizeof($res) == 0) {
/* printf('<center><form method="post" name="k" action="compose.php">'."\n", $PHP_SELF); */
echo '<center>'.
- addForm('compose.php','POST','k');
+ addForm('compose.php','POST','k', '', '', '', TRUE);
addr_insert_hidden();
echo '<input type="submit" value="' . _("Return") . '" name="return" />' . "\n" .
'</form></center></nobr>';
diff -up squirrelmail-1.4.8/src/addressbook.php.secunia squirrelmail-1.4.8/src/addressbook.php
--- squirrelmail-1.4.8/src/addressbook.php.secunia 2006-04-15 00:27:08.000000000 +0200
+++ squirrelmail-1.4.8/src/addressbook.php 2009-10-05 11:28:05.426108290 +0200
@@ -28,6 +28,9 @@ require_once(SM_PATH . 'functions/html.p
require_once(SM_PATH . 'functions/forms.php');
/** lets get the global vars we may need */
+if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) {
+ $submitted_token = '';
+}
sqgetGlobalVar('key', $key, SQ_COOKIE);
sqgetGlobalVar('username', $username, SQ_SESSION);
@@ -170,6 +173,9 @@ $form_url = 'addressbook.php';
/* Handle user's actions */
if(sqgetGlobalVar('REQUEST_METHOD', $req_method, SQ_SERVER) && $req_method == 'POST') {
+ // first, validate security token
+ sm_validate_security_token($submitted_token, 3600, TRUE);
+
/**************************************************
* Add new address *
**************************************************/
@@ -259,7 +265,7 @@ if(sqgetGlobalVar('REQUEST_METHOD', $req
$olddata = $abook->lookup($enick, $ebackend);
/* Display the "new address" form */
- echo addForm($form_url, 'post').
+ echo addForm($form_url, 'post', '', '', '', '', TRUE).
html_tag( 'table',
html_tag( 'tr',
html_tag( 'td',
@@ -291,7 +297,7 @@ if(sqgetGlobalVar('REQUEST_METHOD', $req
'center', '', 'width="100%"' );
/* Display the "new address" form again */
- echo addForm($form_url, 'post').
+ echo addForm($form_url, 'post', '', '', '', '', TRUE).
html_tag( 'table',
html_tag( 'tr',
html_tag( 'td',
@@ -364,7 +370,7 @@ if ($showaddrlist) {
/* List addresses */
if (count($alist) > 0) {
- echo addForm($form_url, 'post');
+ echo addForm($form_url, 'post', 'address_book_form', '', '', '', TRUE);
while(list($undef,$row) = each($alist)) {
/* New table header for each backend */
@@ -478,7 +484,7 @@ if ($showaddrlist) {
/* Display the "new address" form */
echo '<a name="AddAddress"></a>' . "\n" .
- addForm($form_url, 'post', 'f_add').
+ addForm($form_url, 'post', 'f_add', '', '', '', TRUE).
html_tag( 'table',
html_tag( 'tr',
html_tag( 'td', "\n". '<strong>' . sprintf(_("Add to %s"), $abook->localbackendname) . '</strong>' . "\n",
diff -up squirrelmail-1.4.8/src/compose.php.secunia squirrelmail-1.4.8/src/compose.php
--- squirrelmail-1.4.8/src/compose.php.secunia 2009-10-05 11:28:05.323420793 +0200
+++ squirrelmail-1.4.8/src/compose.php 2009-10-05 11:28:05.427108454 +0200
@@ -59,6 +59,9 @@ if (isset($send) && $send) {
$SQ_GLOBAL = SQ_FORM;
}
sqgetGlobalVar('smaction',$action, $SQ_GLOBAL);
+if (!sqgetGlobalVar('smtoken',$submitted_token, $SQ_GLOBAL)) {
+ $submitted_token = '';
+}
sqgetGlobalVar('session',$session, $SQ_GLOBAL);
sqgetGlobalVar('mailbox',$mailbox, $SQ_GLOBAL);
if ( !sqgetGlobalVar('identity',$identity, $SQ_GLOBAL) ) {
@@ -358,6 +361,11 @@ if (!isset($mailbox) || $mailbox == '' |
}
if ($draft) {
+
+ // validate security token
+ //
+ sm_validate_security_token($submitted_token, 3600, TRUE);
+
/*
* Set $default_charset to correspond with the user's selection
* of language interface.
@@ -374,11 +382,11 @@ if ($draft) {
if(isset($delete_draft)) {
if ( !isset($pageheader_sent) || !$pageheader_sent ) {
Header("Location: $location/delete_message.php?mailbox=" . urlencode($draft_folder) .
- "&message=$delete_draft&sort=$sort&startMessage=1&saved_draft=yes");
+ "&message=$delete_draft&sort=$sort&startMessage=1&saved_draft=yes&smtoken=" . sm_generate_security_token());
} else {
echo ' <br><br><center><a href="' . $location
. "/delete_message.php?mailbox=" . urlencode($draft_folder)
- . "&message=$delete_draft&sort=$sort&startMessage=1&saved_draft=yes\">"
+ . "&message=$delete_draft&sort=$sort&startMessage=1&saved_draft=yes&smtoken=" . sm_generate_security_token() . "\">"
. _("Return") . '</a></center>';
}
exit();
@@ -411,6 +419,11 @@ if ($draft) {
}
if ($send) {
+
+ // validate security token
+ //
+ sm_validate_security_token($submitted_token, 3600, TRUE);
+
if (isset($_FILES['attachfile']) &&
$_FILES['attachfile']['tmp_name'] &&
$_FILES['attachfile']['tmp_name'] != 'none') {
@@ -471,7 +484,7 @@ if ($send) {
/* if it is resumed draft, delete draft message */
if ( isset($delete_draft)) {
Header("Location: $location/delete_message.php?mailbox=" . urlencode( $draft_folder ).
- "&message=$delete_draft&sort=$sort&startMessage=1&mail_sent=yes");
+ "&message=$delete_draft&sort=$sort&startMessage=1&mail_sent=yes&smtoken=" . sm_generate_security_token());
exit();
}
if ($compose_new_win == '1') {
@@ -498,6 +511,11 @@ if ($send) {
/* sqimap_logout($imapConnection); */
}
} elseif (isset($html_addr_search_done)) {
+
+ // validate security token
+ //
+ sm_validate_security_token($submitted_token, 3600, TRUE);
+
if ($compose_new_win == '1') {
compose_Header($color, $mailbox);
}
@@ -542,6 +560,11 @@ if ($send) {
*/
include_once('./addrbook_search_html.php');
} elseif (isset($attach)) {
+
+ // validate security token
+ //
+ sm_validate_security_token($submitted_token, 3600, TRUE);
+
if (saveAttachedFiles($session)) {
plain_error_message(_("Could not move/copy file. File not attached"), $color);
}
@@ -553,6 +576,10 @@ if ($send) {
showInputForm($session);
}
elseif (isset($sigappend)) {
+
+ // first do a security check
+ sm_validate_security_token($submitted_token, 3600, TRUE);
+
$idents = getPref($data_dir, $username, 'identities', 0);
if ($idents > 1) {
if ($identity == 'default') {
@@ -570,6 +597,11 @@ elseif (isset($sigappend)) {
}
showInputForm($session);
} elseif (isset($do_delete)) {
+
+ // validate security token
+ //
+ sm_validate_security_token($submitted_token, 3600, TRUE);
+
if ($compose_new_win == '1') {
compose_Header($color, $mailbox);
} else {
@@ -1028,6 +1060,7 @@ function showInputForm ($session, $value
echo ">\n";
+ echo addHidden('smtoken', sm_generate_security_token());
echo addHidden('startMessage', $startMessage);
if ($action == 'draft') {
diff -up squirrelmail-1.4.8/src/delete_message.php.secunia squirrelmail-1.4.8/src/delete_message.php
--- squirrelmail-1.4.8/src/delete_message.php.secunia 2006-04-15 00:27:08.000000000 +0200
+++ squirrelmail-1.4.8/src/delete_message.php 2009-10-05 11:39:23.848483379 +0200
@@ -29,6 +29,9 @@ sqgetGlobalVar('onetimepad', $onetimepad
sqgetGlobalVar('message', $message, SQ_GET);
sqgetGlobalVar('mailbox', $mailbox, SQ_GET);
+if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_GET)) {
+ $submitted_token = '';
+}
/* end globals */
if (isset($_GET['saved_draft'])) {
@@ -50,6 +53,9 @@ if (isset($_GET['startMessage'])) {
$startMessage = (int) $_GET['startMessage'];
}
+// first, validate security token
+sm_validate_security_token($submitted_token, 3600, TRUE);
+
$imapConnection = sqimap_login($username, $key, $imapServerAddress, $imapPort, 0);
sqimap_mailbox_select($imapConnection, $mailbox);
@@ -72,6 +78,7 @@ $location = get_location();
if (isset($where) && isset($what)) {
header("Location: $location/search.php?where=" . $where .
+ '&smtoken=' . sm_generate_security_token() .
'&what=' . $what . '&mailbox=' . urlencode($mailbox));
} else {
if (!empty($saved_draft) || !empty($mail_sent)) {
diff -up squirrelmail-1.4.8/src/folders_create.php.secunia squirrelmail-1.4.8/src/folders_create.php
--- squirrelmail-1.4.8/src/folders_create.php.secunia 2006-08-05 13:08:55.000000000 +0200
+++ squirrelmail-1.4.8/src/folders_create.php 2009-10-05 11:28:05.427108454 +0200
@@ -35,8 +35,14 @@ sqgetGlobalVar('subfolder', $subfolde
if (! sqgetGlobalVar('contain_subs', $contain_subs, SQ_POST)) {
unset($contains_subs);
}
+if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) {
+ $submitted_token = '';
+}
/* end of get globals */
+// first, validate security token
+sm_validate_security_token($submitted_token, 3600, TRUE);
+
$folder_name = trim($folder_name);
if (substr_count($folder_name, '"') || substr_count($folder_name, "\\") ||
diff -up squirrelmail-1.4.8/src/folders_delete.php.secunia squirrelmail-1.4.8/src/folders_delete.php
--- squirrelmail-1.4.8/src/folders_delete.php.secunia 2006-02-03 23:27:55.000000000 +0100
+++ squirrelmail-1.4.8/src/folders_delete.php 2009-10-05 11:28:05.427108454 +0200
@@ -39,6 +39,9 @@ sqgetGlobalVar('username', $username,
sqgetGlobalVar('onetimepad',$onetimepad, SQ_SESSION);
sqgetGlobalVar('delimiter', $delimiter, SQ_SESSION);
sqgetGlobalVar('mailbox', $mailbox, SQ_POST);
+if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) {
+ $submitted_token = '';
+}
/* end globals */
if ($mailbox == '') {
@@ -66,7 +69,7 @@ if( !sqgetGlobalVar('confirmed', $tmp, S
html_tag( 'tr' ) .
html_tag( 'td', '', 'center', $color[4] ) .
sprintf(_("Are you sure you want to delete %s?"), str_replace(array(' ','<','>'),array(' ','<','>'),imap_utf7_decode_local($mailbox))).
- addForm('folders_delete.php', 'post')."<p>\n".
+ addForm('folders_delete.php', 'post', '', '', '', '', TRUE)."<p>\n".
addHidden('mailbox', $mailbox).
addSubmit(_("Yes"), 'confirmed').
addSubmit(_("No"), 'backingout').
@@ -75,6 +78,9 @@ if( !sqgetGlobalVar('confirmed', $tmp, S
exit;
}
+// first, validate security token
+sm_validate_security_token($submitted_token, 3600, TRUE);
+
$imap_stream = sqimap_login($username, $key, $imapServerAddress, $imapPort, 0);
$boxes = sqimap_mailbox_list ($imap_stream);
diff -up squirrelmail-1.4.8/src/folders.php.secunia squirrelmail-1.4.8/src/folders.php
--- squirrelmail-1.4.8/src/folders.php.secunia 2006-04-15 00:27:08.000000000 +0200
+++ squirrelmail-1.4.8/src/folders.php 2009-10-05 11:28:05.427108454 +0200
@@ -100,7 +100,7 @@ echo html_tag( 'table', '', 'center', ''
) .
html_tag( 'tr' ) .
html_tag( 'td', '', 'center', $color[0] ) .
- addForm('folders_create.php', 'POST', 'cf').
+ addForm('folders_create.php', 'POST', 'cf', '', '', '', TRUE).
addInput('folder_name', '', 25).
"<br />\n". _("as a subfolder of"). '<br />'.
"<tt><select name=\"subfolder\">\n";
@@ -260,7 +260,7 @@ echo html_tag( 'table', '', 'center', ''
html_tag( 'td', '', 'center', $color[0], 'width="50%"' );
if ($count_special_folders < count($boxes)) {
- echo addForm('folders_subscribe.php?method=unsub')
+ echo addForm('folders_subscribe.php?method=unsub', 'post', '', '', '', '', TRUE)
. "<tt><select name=\"mailbox[]\" multiple=\"multiple\" size=\"8\">\n";
for ($i = 0; $i < count($boxes); $i++) {
$use_folder = true;
@@ -308,7 +308,7 @@ if(!$no_list_for_subscribe) {
}
if (count($box) > 0) {
- echo addForm('folders_subscribe.php?method=sub')
+ echo addForm('folders_subscribe.php?method=sub', 'post', '', '', '', '', TRUE)
. '<tt><select name="mailbox[]" multiple="multiple" size="8">';
for ($q = 0; $q < count($box); $q++) {
@@ -323,7 +323,7 @@ if(!$no_list_for_subscribe) {
}
} else {
/* don't perform the list action -- this is much faster */
- echo addForm('folders_subscribe.php?method=sub')
+ echo addForm('folders_subscribe.php?method=sub', 'post', '', '', '', '', TRUE)
. _("Subscribe to:") . '<br />'
. '<tt><input type="text" name="mailbox[]" size="35" />'
. '<input type="submit" value="'. _("Subscribe") . "\" />\n"
diff -up squirrelmail-1.4.8/src/folders_rename_do.php.secunia squirrelmail-1.4.8/src/folders_rename_do.php
--- squirrelmail-1.4.8/src/folders_rename_do.php.secunia 2006-02-03 23:27:55.000000000 +0100
+++ squirrelmail-1.4.8/src/folders_rename_do.php 2009-10-05 11:28:05.428483276 +0200
@@ -33,8 +33,14 @@ sqgetGlobalVar('onetimepad',$onetimepad,
sqgetGlobalVar('orig', $orig, SQ_POST);
sqgetGlobalVar('old_name', $old_name, SQ_POST);
sqgetGlobalVar('new_name', $new_name, SQ_POST);
+if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) {
+ $submitted_token = '';
+}
/* end globals */
+// first, validate security token
+sm_validate_security_token($submitted_token, 3600, TRUE);
+
$new_name = trim($new_name);
if (substr_count($new_name, '"') || substr_count($new_name, "\\") ||
diff -up squirrelmail-1.4.8/src/folders_rename_getname.php.secunia squirrelmail-1.4.8/src/folders_rename_getname.php
--- squirrelmail-1.4.8/src/folders_rename_getname.php.secunia 2006-02-03 23:27:55.000000000 +0100
+++ squirrelmail-1.4.8/src/folders_rename_getname.php 2009-10-05 11:28:05.428483276 +0200
@@ -69,7 +69,7 @@ echo '<br />' .
) .
html_tag( 'tr' ) .
html_tag( 'td', '', 'center', $color[4] ) .
- addForm('folders_rename_do.php').
+ addForm('folders_rename_do.php', 'post', '', '', '', '', TRUE).
_("New name:").
'<br /><b>' . htmlspecialchars($old_parent) . ' ' . htmlspecialchars($delimiter) . '</b>' .
addInput('new_name', $old_name, 25) . '<br />' . "\n";
diff -up squirrelmail-1.4.8/src/folders_subscribe.php.secunia squirrelmail-1.4.8/src/folders_subscribe.php
--- squirrelmail-1.4.8/src/folders_subscribe.php.secunia 2006-02-03 23:27:55.000000000 +0100
+++ squirrelmail-1.4.8/src/folders_subscribe.php 2009-10-05 11:28:05.428483276 +0200
@@ -31,8 +31,14 @@ sqgetGlobalVar('username', $username,
sqgetGlobalVar('onetimepad',$onetimepad, SQ_SESSION);
sqgetGlobalVar('method', $method, SQ_GET);
sqgetGlobalVar('mailbox', $mailbox, SQ_POST);
+if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) {
+ $submitted_token = '';
+}
/* end globals */
+// first, validate security token
+sm_validate_security_token($submitted_token, 3600, TRUE);
+
$location = get_location();
if (!isset($mailbox) || !isset($mailbox[0]) || $mailbox[0] == '') {
diff -up squirrelmail-1.4.8/src/move_messages.php.secunia squirrelmail-1.4.8/src/move_messages.php
--- squirrelmail-1.4.8/src/move_messages.php.secunia 2006-05-13 22:01:15.000000000 +0200
+++ squirrelmail-1.4.8/src/move_messages.php 2009-10-05 11:28:05.428483276 +0200
@@ -130,8 +130,14 @@ sqgetGlobalVar('markUnread', $markU
sqgetGlobalVar('attache', $attache, SQ_POST);
sqgetGlobalVar('location', $location, SQ_POST);
+if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) {
+ $submitted_token = '';
+}
/* end of get globals */
+// security check
+sm_validate_security_token($submitted_token, 3600, TRUE);
+
$imapConnection = sqimap_login($username, $key, $imapServerAddress, $imapPort, 0);
$mbx_response=sqimap_mailbox_select($imapConnection, $mailbox);
diff -up squirrelmail-1.4.8/src/options_highlight.php.secunia squirrelmail-1.4.8/src/options_highlight.php
--- squirrelmail-1.4.8/src/options_highlight.php.secunia 2006-04-15 00:27:08.000000000 +0200
+++ squirrelmail-1.4.8/src/options_highlight.php 2009-10-05 11:28:05.429483359 +0200
@@ -37,6 +37,9 @@ sqGetGlobalVar('color_type', $color_type
sqGetGlobalVar('match_type', $match_type);
sqGetGlobalVar('value', $value);
+if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_FORM)) {
+ $submitted_token = '';
+}
/* end of get globals */
function oh_opt( $val, $sel, $tit ) {
@@ -56,6 +59,10 @@ if (! isset($message_highlight_list)) {
if (isset($theid) && ($action == 'delete') ||
($action == 'up') ||
($action == 'down')) {
+
+ // security check
+ sm_validate_security_token($submitted_token, 3600, TRUE);
+
$new_rules = array();
switch($action) {
case('delete'):
@@ -90,6 +97,9 @@ if (isset($theid) && ($action == 'delete
exit;
} else if ($action == 'save') {
+ // security check
+ sm_validate_security_token($submitted_token, 3600, TRUE);
+
if ($color_type == 1) $newcolor = $newcolor_choose;
elseif ($color_type == 2) $newcolor = $newcolor_input;
else $newcolor = $color_type;
@@ -150,13 +160,13 @@ if ($mhl_count > 0) {
$links = '<small>[<a href="options_highlight.php?action=edit&theid=' . $i . '">' .
_("Edit") .
- '</a>] [<a href="options_highlight.php?action=delete&theid='. $i . '">' .
+ '</a>] [<a href="options_highlight.php?action=delete&smtoken=' . sm_generate_security_token() . '&theid='. $i . '">' .
_("Delete");
if($i > 0) {
- $links .= '</a>] [<a href="options_highlight.php?action=up&theid='. $i . '">' . _("Up");
+ $links .= '</a>] [<a href="options_highlight.php?action=up&smtoken=' . sm_generate_security_token() . '&theid='. $i . '">' . _("Up");
}
if($i+1 < $mhl_count) {
- $links .= '</a>] [<a href="options_highlight.php?action=down&theid='. $i . '">' . _("Down");
+ $links .= '</a>] [<a href="options_highlight.php?action=down&smtoken=' . sm_generate_security_token() . '&theid='. $i . '">' . _("Down");
}
$links .= '</a>]</small>';
@@ -361,7 +371,7 @@ if ($action == 'edit' || $action == 'add
else if ($selected_choose == '')
$selected_input = TRUE;
- echo addForm('options_highlight.php', 'POST', 'f').
+ echo addForm('options_highlight.php', 'POST', 'f', '', '', '', TRUE).
addHidden('action', 'save');
if($action == 'edit') {
echo addHidden('theid', (isset($theid)?$theid:''));
@@ -465,4 +475,4 @@ if ($action == 'edit' || $action == 'add
}
do_hook('options_highlight_bottom');
?>
-</table></body></html>
\ No newline at end of file
+</table></body></html>
diff -up squirrelmail-1.4.8/src/options_identities.php.secunia squirrelmail-1.4.8/src/options_identities.php
--- squirrelmail-1.4.8/src/options_identities.php.secunia 2006-06-12 19:54:46.000000000 +0200
+++ squirrelmail-1.4.8/src/options_identities.php 2009-10-05 11:28:05.429483359 +0200
@@ -24,6 +24,7 @@ require_once(SM_PATH . 'include/validate
include_once(SM_PATH . 'functions/global.php');
include_once(SM_PATH . 'functions/display_messages.php');
include_once(SM_PATH . 'functions/html.php');
+include_once(SM_PATH . 'functions/forms.php');
include_once(SM_PATH . 'functions/identity.php');
/* make sure that page is not available when $edit_identity is false */
@@ -39,9 +40,16 @@ sqgetGlobalVar('newidentities', $newiden
sqgetGlobalVar('smaction', $smaction, SQ_POST);
sqgetGlobalVar('return', $return, SQ_POST);
+if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) {
+ $submitted_token = '';
+}
+
// First lets see if there are any actions to perform //
if (!empty($smaction) && is_array($smaction)) {
+ // first do a security check
+ sm_validate_security_token($submitted_token, 3600, TRUE);
+
$doaction = '';
$identid = 0;
@@ -69,9 +77,9 @@ displayPageHeader($color, 'None');
do_hook('options_identities_top');
-$td_str = '';
-$td_str .= '<form name="f" action="options_identities.php" method="post"><br />' . "\n";
-$td_str .= '<table border="0" cellspacing="0" cellpadding="0" width="100%">' . "\n";
+$td_str = '<form name="f" action="options_identities.php" method="post"><br />' . "\n"
+ . addHidden('smtoken', sm_generate_security_token()) . "\n"
+ . '<table border="0" cellspacing="0" cellpadding="0" width="100%">' . "\n";
$cnt = count($identities);
foreach( $identities as $iKey=>$ident ) {
diff -up squirrelmail-1.4.8/src/options_order.php.secunia squirrelmail-1.4.8/src/options_order.php
--- squirrelmail-1.4.8/src/options_order.php.secunia 2006-04-15 00:27:08.000000000 +0200
+++ squirrelmail-1.4.8/src/options_order.php 2009-10-05 11:28:05.429483359 +0200
@@ -25,6 +25,7 @@ require_once(SM_PATH . 'functions/displa
require_once(SM_PATH . 'functions/imap.php');
require_once(SM_PATH . 'functions/plugin.php');
require_once(SM_PATH . 'functions/html.php');
+require_once(SM_PATH . 'functions/forms.php');
/* get globals */
sqgetGlobalVar('num', $num, SQ_GET);
@@ -32,6 +33,9 @@ sqgetGlobalVar('add', $add,
sqgetGlobalVar('submit', $submit);
sqgetGlobalVar('method', $method);
+if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) {
+ $submitted_token = '';
+}
/* end of get globals */
displayPageHeader($color, 'None');
@@ -81,6 +85,10 @@ displayPageHeader($color, 'None');
}
} else if ($method == 'add' && $add) {
/* User should not be able to insert PHP-code here */
+
+ // first do a security check
+ sm_validate_security_token($submitted_token, 3600, TRUE);
+
$add = str_replace ('<?', '..', $add);
$add = ereg_replace ('<.*script.*language.*php.*>', '..', $add);
$add = str_replace ('<%', '..', $add);
@@ -125,8 +133,9 @@ displayPageHeader($color, 'None');
}
if (count($index_order) != count($available)) {
- echo '<form name="f" method="post" action="options_order.php">';
- echo '<select name="add">';
+ echo '<form name="f" method="post" action="options_order.php">' . "\n"
+ . addHidden('smtoken', sm_generate_security_token())
+ . '<select name="add">' . "\n";
for ($i=1; $i <= count($available); $i++) {
$found = false;
for ($j=1; $j <= count($index_order); $j++) {
diff -up squirrelmail-1.4.8/src/options.php.secunia squirrelmail-1.4.8/src/options.php
--- squirrelmail-1.4.8/src/options.php.secunia 2006-04-15 00:27:08.000000000 +0200
+++ squirrelmail-1.4.8/src/options.php 2009-10-05 11:28:05.430483325 +0200
@@ -127,6 +127,9 @@ sqgetGlobalVar('delimiter', $delimiter,
sqgetGlobalVar('optpage', $optpage);
sqgetGlobalVar('optmode', $optmode, SQ_FORM);
sqgetGlobalVar('optpage_data',$optpage_data, SQ_POST);
+if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_FORM)) {
+ $submitted_token = '';
+}
/* end of getting globals */
/* Make sure we have an Option Page set. Default to main. */
@@ -210,6 +213,12 @@ if ( !@is_file( $optpage_file ) ) {
/*** Next, process anything that needs to be processed. ***/
/***********************************************************/
+// security check before saving anything...
+//FIXME: what about SMOPT_MODE_LINK??
+if ($optmode == SMOPT_MODE_SUBMIT) {
+ sm_validate_security_token($submitted_token, 3600, TRUE);
+}
+
// set empty error message
$optpage_save_error=array();
@@ -408,7 +417,7 @@ if ($optpage == SMOPT_PAGE_MAIN) {
/* If we are not looking at the main option page, display the page here. */
/*************************************************************************/
} else {
- echo addForm('options.php', 'POST', 'f')
+ echo addForm('options.php', 'POST', 'f', '', '', '', TRUE)
. create_optpage_element($optpage)
. create_optmode_element(SMOPT_MODE_SUBMIT)
. html_tag( 'table', '', '', '', 'width="100%" cellpadding="2" cellspacing="0" border="0"' ) . "\n"
diff -up squirrelmail-1.4.8/src/read_body.php.secunia squirrelmail-1.4.8/src/read_body.php
--- squirrelmail-1.4.8/src/read_body.php.secunia 2006-08-01 07:47:32.000000000 +0200
+++ squirrelmail-1.4.8/src/read_body.php 2009-10-05 11:28:05.430483325 +0200
@@ -502,7 +502,7 @@ function formatMenubar($mailbox, $passed
$msgs_url = $base_uri . 'src/';
if (isset($where) && isset($what)) {
- $msgs_url .= 'search.php?where=' . urlencode($where) .
+ $msgs_url .= 'search.php?smtoken=' . sm_generate_security_token() . '&where=' . urlencode($where) .
'&what=' . urlencode($what) . '&mailbox=' . $urlMailbox;
$msgs_str = _("Search Results");
} else {
@@ -513,7 +513,7 @@ function formatMenubar($mailbox, $passed
$s .= '<a href="' . $msgs_url . '">' . $msgs_str . '</a>';
$delete_url = $base_uri . 'src/delete_message.php?mailbox=' . $urlMailbox .
- '&message=' . $passed_id . '&';
+ '&message=' . $passed_id . '&smtoken=' . sm_generate_security_token() . '&';
if (!(isset($passed_ent_id) && $passed_ent_id)) {
if ($where && $what) {
$delete_url .= 'where=' . urlencode($where) . '&what=' . urlencode($what);
diff -up squirrelmail-1.4.8/src/search.php.secunia squirrelmail-1.4.8/src/search.php
--- squirrelmail-1.4.8/src/search.php.secunia 2006-07-27 20:58:48.000000000 +0200
+++ squirrelmail-1.4.8/src/search.php 2009-10-05 11:28:05.431483360 +0200
@@ -25,6 +25,7 @@ require_once(SM_PATH . 'functions/imap.p
require_once(SM_PATH . 'functions/imap_search.php');
require_once(SM_PATH . 'functions/imap_mailbox.php');
require_once(SM_PATH . 'functions/strings.php');
+require_once(SM_PATH . 'functions/forms.php');
global $allow_thread_sort;
@@ -60,6 +61,9 @@ if (sqgetGlobalVar('count',$count,SQ_GET
} else {
unset($count);
}
+if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_GET)) {
+ $submitted_token = '';
+}
/* end of get globals */
/* here are some functions, could go in imap_search.php
@@ -210,7 +214,7 @@ function save_recent($save_index, $usern
function printSearchMessages($msgs,$mailbox, $cnt, $imapConnection, $where, $what, $usecache = false, $newsort = false) {
global $sort, $color, $allow_server_sort, $allow_server_thread;
-
+
if ($cnt > 0) {
if ((!empty($allow_server_sort) && $allow_server_sort) || (!empty($allow_server_thread) && $allow_server_thread)) {
$msort = $msgs;
@@ -232,11 +236,11 @@ function printSearchMessages($msgs,$mail
echo '<table border="0" width="100%" cellpadding="0" cellspacing="0">';
echo '<tr><td>';
- mail_message_listing_beginning($imapConnection, $mailbox, $sort,
+ mail_message_listing_beginning($imapConnection, $mailbox, $sort,
$msg_cnt_str, $toggle_all, 1);
echo '</td></tr>';
- echo '<tr><td height="5" bgcolor="'.$color[4].'"></td></tr>';
+ echo '<tr><td height="5" bgcolor="'.$color[4].'"></td></tr>';
echo '<tr><td>';
echo ' <table width="100%" cellpadding="1" cellspacing="0" align="center"'.' border="0" bgcolor="'.$color[9].'">';
echo ' <tr><td>';
@@ -288,6 +292,11 @@ if (empty($submit) && !empty($what)) {
$submit = _("Search");
}
+// need to verify security token if user wants to do anything
+if (!empty($submit)) {
+ sm_validate_security_token($submitted_token, 3600, TRUE);
+}
+
if ($submit == _("Search") && !empty($what)) {
if ($recent_count > 0) {
update_recent($what, $where, $mailbox, $username, $data_dir);
@@ -345,6 +354,7 @@ if ($saved_count > 0) {
. '?mailbox=' . urlencode($saved_attributes['saved_folder'][$i + 1])
. '&what=' . urlencode($saved_attributes['saved_what'][$i + 1])
. '&where=' . urlencode($saved_attributes['saved_where'][$i + 1])
+ . '&smtoken=' . sm_generate_security_token()
. '">' . _("edit") . '</a>'
. ' | '
. '<a href="search.php'
@@ -352,9 +362,10 @@ if ($saved_count > 0) {
. '&what=' . urlencode($saved_attributes['saved_what'][$i + 1])
. '&where=' . urlencode($saved_attributes['saved_where'][$i + 1])
. '&submit=Search_no_update'
+ . '&smtoken=' . sm_generate_security_token()
. '">' . _("search") . '</a>'
. ' | '
- . "<a href=\"search.php?count=$i&submit=delete\">"
+ . "<a href=\"search.php?count=$i&submit=delete&smtoken=" . sm_generate_security_token() .'">'
. _("delete")
. '</a>'
. '</td></tr>';
@@ -372,7 +383,7 @@ if ($recent_count > 0) {
. html_tag( 'td' )
. html_tag( 'table', '', 'center', '', 'width="100%" cellpadding="0" cellspacing="0" border="0"' );
for ($i=1; $i <= $recent_count; ++$i) {
- if (isset($attributes['search_folder'][$i])) {
+ if (isset($attributes['search_folder'][$i])) {
if ($attributes['search_folder'][$i] == "") {
$attributes['search_folder'][$i] = "INBOX";
}
@@ -388,7 +399,7 @@ if ($recent_count > 0) {
. html_tag( 'td', htmlspecialchars($attributes['search_what'][$i]), 'left' )
. html_tag( 'td', htmlspecialchars($attributes['search_where'][$i]), 'center' )
. html_tag( 'td', '', 'right' )
- . "<a href=\"search.php?count=$i&submit=save\">"
+ . "<a href=\"search.php?count=$i&submit=save&smtoken=" . sm_generate_security_token() . '">'
. _("save")
. '</a>'
. ' | '
@@ -397,9 +408,10 @@ if ($recent_count > 0) {
. '&what=' . urlencode($attributes['search_what'][$i])
. '&where=' . urlencode($attributes['search_where'][$i])
. '&submit=Search_no_update'
+ . '&smtoken=' . sm_generate_security_token()
. '">' . _("search") . '</a>'
. ' | '
- . "<a href=\"search.php?count=$i&submit=forget\">"
+ . "<a href=\"search.php?count=$i&submit=forget&smtoken=" . sm_generate_security_token() . '">'
. _("forget")
. '</a>'
. '</td></tr>';
@@ -436,6 +448,7 @@ if( substr( phpversion(), 0, 3 ) == '4.1
/* Search Form */
echo html_tag( 'div', '<b>' . _("Current Search") . '</b>', 'left' ) . "\n"
. '<form action="search.php" name="s">'
+ . addHidden('smtoken', sm_generate_security_token())
. html_tag( 'table', '', '', '', 'width="95%" cellpadding="0" cellspacing="0" border="0"' )
. html_tag( 'tr' )
. html_tag( 'td', '', 'left' )
diff -up squirrelmail-1.4.8/src/vcard.php.secunia squirrelmail-1.4.8/src/vcard.php
--- squirrelmail-1.4.8/src/vcard.php.secunia 2006-04-15 00:27:08.000000000 +0200
+++ squirrelmail-1.4.8/src/vcard.php 2009-10-05 11:28:05.431483360 +0200
@@ -152,6 +152,7 @@ echo '</table>' .
'</td></tr>' .
'<tr><td align="center">' .
'<form action="../src/addressbook.php" method="post" name="f_add">' .
+ '<input type="hidden" name="smtoken" value="' . sm_generate_security_token() . '" />' .
'<table border="0" cellpadding="2" cellspacing="0" align="center">' .
'<tr><td align="right"><b>' . _("Nickname") . ':</b></td>' .
'<td>' .
@@ -233,4 +234,4 @@ echo '<a href="../src/download.php?absol
<table border="0" cellspacing="0" cellpadding="2" align="center">
<tr><td bgcolor="<?php echo $color[4]; ?>">
</td></tr></table>
-</body></html>
\ No newline at end of file
+</body></html>
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
990dbf0cedc5e7df39833eaf1ef25821
>
files
>
22
