Re: Squirrelmail XSS Fixes

[Hanno Böck <hanno () hboeck de>]

Sorry... I was struck by "hit the send button while still writing the
mail"... Let's retry:


Hi,

A while ago I saw that there were some very old XSS reports in the
squirrelmail bugtracker and reported it to this list:
https://www.openwall.com/lists/oss-security/2018/06/27/5

If anyone's interested, squirrelmail upstream has now fixed those (in
SVN, they don't do releases):
https://sourceforge.net/p/squirrelmail/bugs/2831/

I had proposed a different (and imho simpler) patch, I never got any
feedback from the developer why he didn't like it. I also sent multiple
fixes for warnings and issues with newer PHP versions that mostly
haven't been applied, in case you are interested, see
https://github.com/hannob/squirrelpatches

I tried a few XSS vectors and it seems they're all closed, though I'd
appreciate more eyes on it. Overall the whole filtering isn't ideal,
it's a blacklisting approach and thus obviously error-prone.

If any XSS ninjas want to play with it and don't have a squirrelmail
installation you can mail me directly and I can give you a temporary
test account.

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42