From: <pdo...@us...> - 2009-05-11 21:20:01
|
Revision: 13668 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13668&view=rev Author: pdontthink Date: 2009-05-11 21:19:52 +0000 (Mon, 11 May 2009) Log Message: ----------- Remove ability for HTML emails to use CSS positioning to overlay SquirrelMail content. Thanks to Luc Beurton. (#2723196/CVE-2009-1581) Modified Paths: -------------- trunk/squirrelmail/doc/ChangeLog trunk/squirrelmail/functions/mime.php Modified: trunk/squirrelmail/doc/ChangeLog =================================================================== --- trunk/squirrelmail/doc/ChangeLog 2009-05-11 21:17:50 UTC (rev 13667) +++ trunk/squirrelmail/doc/ChangeLog 2009-05-11 21:19:52 UTC (rev 13668) @@ -293,6 +293,8 @@ - Completed a massive update to contrib/flat2sql.pl. - Display visual indication of forwarded messages. - Added Khmer translation (Thanks to Khoem Sokhem). + - Remove ability for HTML emails to use CSS positioning to overlay + SquirrelMail content (Thanks to Luc Beurton). (#2723196) [CVE-2009-1581] Version 1.5.1 (branched on 2006-02-12) -------------------------------------- Modified: trunk/squirrelmail/functions/mime.php =================================================================== --- trunk/squirrelmail/functions/mime.php 2009-05-11 21:17:50 UTC (rev 13667) +++ trunk/squirrelmail/functions/mime.php 2009-05-11 21:19:52 UTC (rev 13668) @@ -2143,6 +2143,12 @@ /** * Fix stupid css declarations which lead to vulnerabilities * in IE. + * + * Also remove "position" attribute, as it can easily be set + * to "fixed" or "absolute" with "left" and "top" attributes + * of zero, taking over the whole content frame. It can also + * be set to relative and move itself anywhere it wants to, + * displaying content in areas it shouldn't be allowed to touch. */ $match = Array('/\/\*.*\*\//', '/expression/i', @@ -2150,8 +2156,9 @@ '/binding/i', '/include-source/i', '/javascript/i', - '/script/i'); - $replace = Array('','idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy'); + '/script/i', + '/position/i'); + $replace = Array('','idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', ''); $contentNew = preg_replace($match, $replace, $contentTemp); if ($contentNew !== $contentTemp) { // insecure css declarations are used. From now on we don't care @@ -2556,12 +2563,28 @@ "/binding/i", "/behaviou*r/i", "/include-source/i", - "/position\s*:\s*absolute/i", + + // position:relative can also be exploited + // to put content outside of email body area + // and position:fixed is similarly exploitable + // as position:absolute, so we'll remove it + // altogether.... + // + // Does this screw up legitimate HTML messages? + // If so, the only fix I see is to allow position + // attributes (any values? I think we still have + // to block static and fixed) only if $use_iframe + // is enabled (1.5.0+) + // + // was: "/position\s*:\s*absolute/i", + // + "/position\s*:/i", + "/(\\\\)?u(\\\\)?r(\\\\)?l(\\\\)?/i", "/url\s*\(\s*([\'\"])\s*\S+script\s*:.*([\'\"])\s*\)/si", "/url\s*\(\s*([\'\"])\s*mocha\s*:.*([\'\"])\s*\)/si", "/url\s*\(\s*([\'\"])\s*about\s*:.*([\'\"])\s*\)/si", - "/(.*)\s*:\s*url\s*\(\s*([\'\"]*)\s*\S+script\s*:.*([\'\"]*)\s*\)/si" + "/(.*)\s*:\s*url\s*\(\s*([\'\"]*)\s*\S+script\s*:.*([\'\"]*)\s*\)/si", ), Array( "", This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |