> All,
>
> Attached is a plugin I knocked together inspired by the checkbox on
> bugzilla login screens that allows the user to limit page requests to
> the current IP address. I'm not so sure this is all that useful for
> SM, where most of the vulnerabilities to date are usually having to do
> with XSS or CSRF issues that don't really involve someone hijacking
> and sending page requests from another location, but I could be wrong.
> More security options aren't necessarily bad, but I'm not sure how
> useful this would be....?
1. sqgetGlobalVar uses only three arguments in 1.4.x and returns true when
value is set.
---
// store the IP address in session
//
sqGetGlobalVar('REMOTE_ADDR', $user_ip, SQ_SERVER, '');
if (empty($user_ip))
---
---
// store the IP address in session
//
if (sqGetGlobalVar('REMOTE_ADDR', $user_ip, SQ_SERVER))
---
The way you use sqgetGlobalVar() is not secure in rg=on setups and
SquirrelMail 1.4.6 or older. Initial variable value is not set and you are
not testing return of sqgetGlobalVar(). Issue does not apply to
REMOTE_ADDR test, because $_SERVER['REMOTE_ADDR'] is part of CGI
specification and there is a very big chance that it will be set in all
setups.
2. use of generic_header hook
hook is not executed in download.php, printer_friendly*.php and
message_details plugin.
3. $si_stay_same and $_COOKIE['stay_same'] are boolean and you use value
supplied by form instead of integer. Opera and Firefox set checkbox
variable only when it is checked.
4. if bind_textdomain_codeset function is available, it should be used
with all bindtextdomain('same_ip', SM_PATH . 'locale'); calls in order to
prevent possible charset conversions in some setups.
|
