oss-sec mailing list archives
Re: Squirrelmail XSS Fixes
From: Hanno Böck <hanno () hboeck de>
Date: Fri, 1 Mar 2019 11:07:04 +0100
Sorry... I was struck by "hit the send button while still writing the mail"... Let's retry: Hi, A while ago I saw that there were some very old XSS reports in the squirrelmail bugtracker and reported it to this list: https://www.openwall.com/lists/oss-security/2018/06/27/5 If anyone's interested, squirrelmail upstream has now fixed those (in SVN, they don't do releases): https://sourceforge.net/p/squirrelmail/bugs/2831/ I had proposed a different (and imho simpler) patch, I never got any feedback from the developer why he didn't like it. I also sent multiple fixes for warnings and issues with newer PHP versions that mostly haven't been applied, in case you are interested, see https://github.com/hannob/squirrelpatches I tried a few XSS vectors and it seems they're all closed, though I'd appreciate more eyes on it. Overall the whole filtering isn't ideal, it's a blacklisting approach and thus obviously error-prone. If any XSS ninjas want to play with it and don't have a squirrelmail installation you can mail me directly and I can give you a temporary test account. -- Hanno Böck https://hboeck.de/ mail/jabber: hanno () hboeck de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Current thread:
- Squirrelmail XSS Fixes Hanno Böck (Mar 01)
- Re: Squirrelmail XSS Fixes Hanno Böck (Mar 01)