Menu
▾
▴
[SM-CVS] SF.net SVN: squirrelmail:[13668] trunk/squirrelmail
|
From: <pdo...@us...> - 2009-05-11 21:20:01
|
Revision: 13668
http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13668&view=rev
Author: pdontthink
Date: 2009-05-11 21:19:52 +0000 (Mon, 11 May 2009)
Log Message:
-----------
Remove ability for HTML emails to use CSS positioning to overlay SquirrelMail content. Thanks to Luc Beurton. (#2723196/CVE-2009-1581)
Modified Paths:
--------------
trunk/squirrelmail/doc/ChangeLog
trunk/squirrelmail/functions/mime.php
Modified: trunk/squirrelmail/doc/ChangeLog
===================================================================
--- trunk/squirrelmail/doc/ChangeLog 2009-05-11 21:17:50 UTC (rev 13667)
+++ trunk/squirrelmail/doc/ChangeLog 2009-05-11 21:19:52 UTC (rev 13668)
@@ -293,6 +293,8 @@
- Completed a massive update to contrib/flat2sql.pl.
- Display visual indication of forwarded messages.
- Added Khmer translation (Thanks to Khoem Sokhem).
+ - Remove ability for HTML emails to use CSS positioning to overlay
+ SquirrelMail content (Thanks to Luc Beurton). (#2723196) [CVE-2009-1581]
Version 1.5.1 (branched on 2006-02-12)
--------------------------------------
Modified: trunk/squirrelmail/functions/mime.php
===================================================================
--- trunk/squirrelmail/functions/mime.php 2009-05-11 21:17:50 UTC (rev 13667)
+++ trunk/squirrelmail/functions/mime.php 2009-05-11 21:19:52 UTC (rev 13668)
@@ -2143,6 +2143,12 @@
/**
* Fix stupid css declarations which lead to vulnerabilities
* in IE.
+ *
+ * Also remove "position" attribute, as it can easily be set
+ * to "fixed" or "absolute" with "left" and "top" attributes
+ * of zero, taking over the whole content frame. It can also
+ * be set to relative and move itself anywhere it wants to,
+ * displaying content in areas it shouldn't be allowed to touch.
*/
$match = Array('/\/\*.*\*\//',
'/expression/i',
@@ -2150,8 +2156,9 @@
'/binding/i',
'/include-source/i',
'/javascript/i',
- '/script/i');
- $replace = Array('','idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy');
+ '/script/i',
+ '/position/i');
+ $replace = Array('','idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', '');
$contentNew = preg_replace($match, $replace, $contentTemp);
if ($contentNew !== $contentTemp) {
// insecure css declarations are used. From now on we don't care
@@ -2556,12 +2563,28 @@
"/binding/i",
"/behaviou*r/i",
"/include-source/i",
- "/position\s*:\s*absolute/i",
+
+ // position:relative can also be exploited
+ // to put content outside of email body area
+ // and position:fixed is similarly exploitable
+ // as position:absolute, so we'll remove it
+ // altogether....
+ //
+ // Does this screw up legitimate HTML messages?
+ // If so, the only fix I see is to allow position
+ // attributes (any values? I think we still have
+ // to block static and fixed) only if $use_iframe
+ // is enabled (1.5.0+)
+ //
+ // was: "/position\s*:\s*absolute/i",
+ //
+ "/position\s*:/i",
+
"/(\\\\)?u(\\\\)?r(\\\\)?l(\\\\)?/i",
"/url\s*\(\s*([\'\"])\s*\S+script\s*:.*([\'\"])\s*\)/si",
"/url\s*\(\s*([\'\"])\s*mocha\s*:.*([\'\"])\s*\)/si",
"/url\s*\(\s*([\'\"])\s*about\s*:.*([\'\"])\s*\)/si",
- "/(.*)\s*:\s*url\s*\(\s*([\'\"]*)\s*\S+script\s*:.*([\'\"]*)\s*\)/si"
+ "/(.*)\s*:\s*url\s*\(\s*([\'\"]*)\s*\S+script\s*:.*([\'\"]*)\s*\)/si",
),
Array(
"",
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|