Re: [SquirrelMail-Security] XSS in Squirrelmail plugin 'Virtual Keyboard' <= 0.9.1

[Paul Lesniewski <paul () squirrelmail org>]

On Tue, Oct 5, 2010 at 9:28 AM, Moritz Naumann
<security () moritz-naumann com> wrote:
> Hi,
>
> Squirrelmail plugin 'Virtual Keyboard' version 0.9.1 and lower is
> vulnerable to cross site scripting (XSS).
>
> The vkeyboard.php script fails to sanitize the value of HTTP GET
> parameter 'passformname' which the script stores in a variable of the
> same name and outputs (unmodified) into a HTML document later. As such,
> it is possible to inject client-evaluated HTML and script code into the
> output generated by the application.
>
> For proof of concept, accessing the following location ([Base_URL]
> refers to a Squirrelmail installation with a vulnerable version of the
> 'Virtual Keyboard' plugin) results in a javascript generated alert
> windows reading 'XSS' popping up:
> > [Base_URL]/plugins/vkeyboard/vkeyboard.php?passformname=%22%3E%3Cscript%3Ealert%28%27XSS%27%29;%3C/script%3E%3Cscript%3E/*%20
>
> 'Virtual Keyboard' installations can be found using this 'Google dork':
> > http://google.com/search?hl=en&safe=off&filter=0&q=inurl%3A%22vkeyboard.php%22
>
> This vulnerability was originally reported in early May 2010.
> A suitable update fixing this issue, Virtual Keyboard v0.9.2 for
> Squrrelmail 1.4.x, has been provided to the Squirrelmail developers and
> me by Daniel Kobayashi Imori of Bastion Systems (the original developer
> of this plugin) in early June 2010 and is attached to this email -
> thanks Daniel. The Squirrelmail team has not yet made it to update this
> plugin in their repository:
>  http://squirrelmail.org/plugin_view.php?id=159

As a member of the SquirrelMail development team, I am quite
displeased with this announcement.  The reporter did not check in with
us before it was made.  The truth of the matter, of which the reporter
seems ignorant and apparently didn't bother to verify is as follows:

The version with a fix was in fact sent to me personally, but not, as
the reporter claims, to all the "SquirrelMail developers."

That version was not up to spec in several regards, and so I
encouraged the plugin's author to work on a more up-to-date version.
The author responded with interest, but after another correspondence
regarding the quality of the plugin's code, the author failed to
reply.

As far as I was concerned, the issue was waiting for the author to
respond to me and/or the issue reporter with an updated status of the
plugin.  Early on, the reporter (Moritz Naumann) sent more than one
email prodding for the chance to publish the vulnerability, which to
me sounded quite impatient and thus, as far as I could tell, eager to
take credit for the discovery rather than help resolve the situation.
After the author fell silent, Moritz also fell silent and gave no
indication that he planned to make this announcement.

While we are greatly interested in providing only secure plugins to
our community, the SquirrelMail developers do not take ultimate
responsibility for any third party plugins and moreover take VERY
UNKINDLY to this kind of impatient, uncommunicative and irresponsible
issue publishing.

> So this is the first public release I am aware of.

Great, so you've made a big name for yourself now.

-- 
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php