squirrelmail-users — SquirrelMail Users Mailing List

Re: [SM-USERS] Squirrelmail 1.4.23-SVN Functionality

[Jay H. <jh...@ke...>]

>> Using this version ^^above^^, do the following plugins need to be
>> patched????:
>> - reply_button
>
> Nope
>
>> - msg_flags
>> - multiple_attachments
>
> There are unpublished updates for these (contact me offlist if you want to
> try them) but I think the existing ones still work fine.
>
>> I have the following plugins installed:
>> add_address, calendar, demo, html_mail, jump_to_folder, msg_flags,
>> sent_subfolders, squirrelspell, administrator
>> compatibility, filters, image_buttons, listcommands, multiple_attachments,
>> reply_buttons, show_headers, test
>> advanced_settings, compose_extras, folder_sizes, mail_fetch, newmail,
>> select_range, spamcop, translate, bug_report
>> delete_move_next, fortune, info, message_details, preview_pane,
>> sent_confirmation, squirrel_logger, and view_as_html
>>
>> Not all these plugins are active...
>
> Best to list active plugins (and versions) if you are seeing bugs and
> think they are to blame.  Or just remove them all and add them one at a
> time.
>

All plugins either came with the version of Squirrelmail I downloaded, or I got them directly from the plugins page yesterday.  Just
loaded on Quicksave and now have the 'Cancel' option when editing emails.

Here is a list of my plugins:
Plugins
  Installed Plugins
    1. info
    2. squirrelspell
    3. newmail
    4. message_details
    5. add_address
    6. select_range
    7. sent_confirmation
    8. view_as_html
    9. squirrel_logger
    10. folder_sizes
    11. compose_extras
    12. advanced_settings
    13. calendar
    14. image_buttons
    15. multiple_attachments
    16. show_headers
    17. jump_to_folder
    18. html_mail
    19. reply_buttons
    20. delete_move_next
    21. quicksave

  Available Plugins:
    22. administrator
    23. bug_report
    24. compatibility
    25. demo
    26. filters
    27. fortune
    28. listcommands
    29. mail_fetch
    30. msg_flags
    31. preview_pane
    32. sent_subfolders
    33. spamcop
    34. test
    35. translate


>> I can't see my interface issues being a result of the three plugins I
>> can't patch.
>
> What do you mean by "can't patch?"

I addressed this is a separate email and you replied already.

>
>> 1. When viewing a folder/directory, I am missing the "Thread View" option
>
> Check these:
> $allow_thread_sort
> $allow_server_sort
>
>> 2. I can only reply to an email if I am viewing a Message List
>> (folder/directory). Click the 'select' box and hit reply or reply all.
>
> That's not a description of a problem.  Sounds like it's a description of
> the Reply Buttons plugin
>
>> 3. When I am viewing an email, I do not have the ability to 'Forward',
>> 'Forward as Attachment', 'Reply', or 'Reply all'. The button
>> options which should be on the top right of the message are not there.  I
>> can't think of a reason these would be missing from an updated
>> version of Squirrelmail.  They are important...
>
> Disable all your plugins and try again.  Sounds like maybe a patch you
> applied might have done something it shouldn't have.  If you don't want to
> undo all your patches (msg_flags for example), just install a fresh
> tarball in a parallel directory and copy over the config file.
>
>> 4. I also do not have the ability to cancel an email being edited. That
>> button/option is also missing if it is supposed to exist.  Have to
>> just go select a folder to cancel out of the email...
>
> That is provided by the Quick Save plugin (new unpublished version of that
> is available offlist too)
>
>> 5. When viewing an email in a message list, the options above the header
>> field are missing the 'Previous' and 'Next' options. I do have
>> 'Previous and Delete', 'Unread & Prev', Unread & Next', and' Delete &
>> Next'.  Doesn't matter if the email is the first, last, or in the
>> middle of the list, no 'previous' or 'next' options...
>
> Sounds like the same problem as number 3 above.  Maybe the
> delete_move_next plugin is the wrong version or it got erroneously
> patched.  Make sure to use the version that comes with SM
>
>> 6. When viewing an email, I don't have the "Message List" option to click
>> on to go back to the message list.  I have to go select the
>> message list/folder on the left frame again to work around this.
>
> Sounds like the same issue here too
>
>> 7.  Here is a copy of my configtest results:
>> SquirrelMail version:	1.4.23 [SVN]
>> Config file version:	1.4.0
>> Config file last modified:	19 November 2021 19:57:25
>> Checking PHP configuration...
>>     PHP version 7.3.33 OK.
>>     Running as N/A(N/A) / N/A(N/A)
>>     display_errors:
>>     error_reporting: 22527
>>     variables_order OK: GPCS.
>>     PHP extensions OK. Dynamic loading is disabled.
>> Checking paths...
>>     Data dir OK.
>>     Attachment dir OK.
>>     Plugins OK.
>>     Themes OK.
>>     Default language OK.
>>     Base URL detected as: https://X.X.X.X/webmail/src (location base
>> autodetected)
>> Checking outgoing mail service....
>>     SMTP server OK (220 dream.kevla.org ESMTP)
>> Checking IMAP service....
>>     IMAP server ready (* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS
>> ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot
>> ready.)
>>     Capabilities: * CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE
>> IDLE LITERAL+ STARTTLS AUTH=PLAIN AUTH=LOGIN
>> Checking internationalization (i18n) settings...
>>      gettext - Gettext functions are available. On some systems you must
>> have appropriate system locales compiled.
>>      mbstring - Mbstring functions are available.
>>      recode - Recode functions are unavailable.
>>      iconv - Iconv functions are available.
>>      timezone - Webmail users can change their time zone settings.
>> Checking database functions...
>>     not using database functionality.
>>
>> Congratulations, your SquirrelMail setup looks fine to me!
>>
>> 8. I do have some errors in the PHP log:
>> PHP Warning:  fsockopen(): Peer certificate CN=`kevla.org' did not match
>> expected CN=`localhost' in /usr/share/squirrelmail.1423/src/c
>> onfigtest.php on line 454
>>
>> PHP Warning:  fsockopen(): Failed to enable crypto in
>> /usr/share/squirrelmail.1423/src/configtest.php on line 454
>>
>> PHP Warning:  fsockopen(): unable to connect to ssl://localhost:993
>> (Unknown error) in /usr/share/squirrelmail.1423/src/configtest.php
>>  on line 454
>>
>> PHP Warning:  fsockopen(): Peer certificate CN=`kevla.org' did not match
>> expected CN=`localhost' in /usr/share/squirrelmail.1423/src/c
>> onfigtest.php on line 454
>>
>> PHP Warning:  fsockopen(): Failed to enable crypto in
>> /usr/share/squirrelmail.1423/src/configtest.php on line 454
>>
>> PHP Warning:  fsockopen(): unable to connect to ssl://localhost:993
>> (Unknown error) in /usr/share/squirrelmail.1423/src/configtest.php
>>  on line 454
>>
>> PHP Warning:  fsockopen(): SSL operation failed with code 1. OpenSSL Error
>> messages:
>> error:1408F10B:SSL routines:ssl3_get_record:wrong version number in
>> /usr/share/squirrelmail.1423/src/configtest.php on line 454
>>
>> PHP Warning:  fsockopen(): Failed to enable crypto in
>> /usr/share/squirrelmail.1423/src/configtest.php on line 454
>>
>> PHP Warning:  fsockopen(): unable to connect to ssl://localhost:143
>> (Unknown error) in /usr/share/squirrelmail.1423/src/configtest.php
>>  on line 454
>
> Those are all from configtest as it tries to learn about your system.  If
> they don't show up under normal usage, I'd ignore.
>
>> PHP Warning:  A non-numeric value encountered in
>> /usr/share/squirrelmail.1423/functions/date.php on line 91
>
> This happens when?  Can you get the input or other data related to how
> this happens?

I can try. I just captured this today...  I think a couple were from yesterday and can be ignored.

>
>> PHP Notice:  Undefined variable: output in
>> /usr/share/squirrelmail.1423/plugins/multiple_attachments/functions.php on
>> line 119
>
> Inconsequential notice that is fixed in newer version of the plugin
>
> Cheers,
> --
> Paul Lesniewski
> SquirrelMail Team
> Please support Open Source Software by donating to SquirrelMail!
> http://squirrelmail.org/donate_paul_lesniewski.php
>
>
>
>
> -----
> squirrelmail-users mailing list
> Posting guidelines: http://squirrelmail.org/postingguidelines
> List address: squ...@li...
> List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
> List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
>

Jay

Re: [SM-USERS] Squirrelmail 1.4.23-SVN Functionality

[Paul L. <pa...@sq...>]

On Sat, November 20, 2021 1:39 am, Jay Hart wrote:
> A few notes below on the first issues I noted with the interface.  I
> disabled the 'preview-pane' plugin and resolved most of the issues.
> I'll show which ones below.  I don't use 'preview-pane' view, so it
> appears this plugin was still having some effect on the interface just
> by being loaded/enabled in the ./conf.pl config, with no options checked
> in the display settings..

It comes with patches for full installation, that could easily be the
problem.  An updated version of this is also available offlist.

> The problem with patching is it appears the fact these plugins have
> 'newer' file stamps, is causing patch to say the files don't exist.

Nothing to do with date stamps.  It's a file path problem.  You can just
copy/type in the file path that is given just above and it should work or
IIRC run the patch command like so (from the directory of whatever plugin
it is that you are patching for):

patch -d ../../ -p2 < patches/xxxx.diff

You may need to fiddle with the options until you get it right.

> Here is what I see when trying to patch msg_flags:
>
> [root@dream msg_flags]# patch -p0 <
> patches/msg_flags-squirrelmail-1.4.20.diff
> can't find file to patch at input line 3
> Perhaps you used the wrong -p or --strip option?
> The text leading up to this was:
> --------------------------
> |--- ../../functions/mailbox_display.php.orig   2008-02-10
> 08:49:47.000000000 -0800
> |+++ ../../functions/mailbox_display.php        2008-06-11
> 06:41:00.000000000 -0700
> --------------------------
> File to patch:
>
> I am NO EXPERT here, looking for assistance on how to resolve, if I need
> too!

-- 
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php

Re: [SM-USERS] Squirrelmail 1.4.23-SVN Functionality

[Paul L. <pa...@sq...>]

> Using this version ^^above^^, do the following plugins need to be
> patched????:
> - reply_button

Nope

> - msg_flags
> - multiple_attachments

There are unpublished updates for these (contact me offlist if you want to
try them) but I think the existing ones still work fine.

> I have the following plugins installed:
> add_address, calendar, demo, html_mail, jump_to_folder, msg_flags,
> sent_subfolders, squirrelspell, administrator
> compatibility, filters, image_buttons, listcommands, multiple_attachments,
> reply_buttons, show_headers, test
> advanced_settings, compose_extras, folder_sizes, mail_fetch, newmail,
> select_range, spamcop, translate, bug_report
> delete_move_next, fortune, info, message_details, preview_pane,
> sent_confirmation, squirrel_logger, and view_as_html
>
> Not all these plugins are active...

Best to list active plugins (and versions) if you are seeing bugs and
think they are to blame.  Or just remove them all and add them one at a
time.

> I can't see my interface issues being a result of the three plugins I
> can't patch.

What do you mean by "can't patch?"

> 1. When viewing a folder/directory, I am missing the "Thread View" option

Check these:
$allow_thread_sort
$allow_server_sort

> 2. I can only reply to an email if I am viewing a Message List
> (folder/directory). Click the 'select' box and hit reply or reply all.

That's not a description of a problem.  Sounds like it's a description of
the Reply Buttons plugin

> 3. When I am viewing an email, I do not have the ability to 'Forward',
> 'Forward as Attachment', 'Reply', or 'Reply all'. The button
> options which should be on the top right of the message are not there.  I
> can't think of a reason these would be missing from an updated
> version of Squirrelmail.  They are important...

Disable all your plugins and try again.  Sounds like maybe a patch you
applied might have done something it shouldn't have.  If you don't want to
undo all your patches (msg_flags for example), just install a fresh
tarball in a parallel directory and copy over the config file.

> 4. I also do not have the ability to cancel an email being edited. That
> button/option is also missing if it is supposed to exist.  Have to
> just go select a folder to cancel out of the email...

That is provided by the Quick Save plugin (new unpublished version of that
is available offlist too)

> 5. When viewing an email in a message list, the options above the header
> field are missing the 'Previous' and 'Next' options. I do have
> 'Previous and Delete', 'Unread & Prev', Unread & Next', and' Delete &
> Next'.  Doesn't matter if the email is the first, last, or in the
> middle of the list, no 'previous' or 'next' options...

Sounds like the same problem as number 3 above.  Maybe the
delete_move_next plugin is the wrong version or it got erroneously
patched.  Make sure to use the version that comes with SM

> 6. When viewing an email, I don't have the "Message List" option to click
> on to go back to the message list.  I have to go select the
> message list/folder on the left frame again to work around this.

Sounds like the same issue here too

> 7.  Here is a copy of my configtest results:
> SquirrelMail version:	1.4.23 [SVN]
> Config file version:	1.4.0
> Config file last modified:	19 November 2021 19:57:25
> Checking PHP configuration...
>     PHP version 7.3.33 OK.
>     Running as N/A(N/A) / N/A(N/A)
>     display_errors:
>     error_reporting: 22527
>     variables_order OK: GPCS.
>     PHP extensions OK. Dynamic loading is disabled.
> Checking paths...
>     Data dir OK.
>     Attachment dir OK.
>     Plugins OK.
>     Themes OK.
>     Default language OK.
>     Base URL detected as: https://X.X.X.X/webmail/src (location base
> autodetected)
> Checking outgoing mail service....
>     SMTP server OK (220 dream.kevla.org ESMTP)
> Checking IMAP service....
>     IMAP server ready (* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS
> ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot
> ready.)
>     Capabilities: * CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE
> IDLE LITERAL+ STARTTLS AUTH=PLAIN AUTH=LOGIN
> Checking internationalization (i18n) settings...
>      gettext - Gettext functions are available. On some systems you must
> have appropriate system locales compiled.
>      mbstring - Mbstring functions are available.
>      recode - Recode functions are unavailable.
>      iconv - Iconv functions are available.
>      timezone - Webmail users can change their time zone settings.
> Checking database functions...
>     not using database functionality.
>
> Congratulations, your SquirrelMail setup looks fine to me!
>
> 8. I do have some errors in the PHP log:
> PHP Warning:  fsockopen(): Peer certificate CN=`kevla.org' did not match
> expected CN=`localhost' in /usr/share/squirrelmail.1423/src/c
> onfigtest.php on line 454
>
> PHP Warning:  fsockopen(): Failed to enable crypto in
> /usr/share/squirrelmail.1423/src/configtest.php on line 454
>
> PHP Warning:  fsockopen(): unable to connect to ssl://localhost:993
> (Unknown error) in /usr/share/squirrelmail.1423/src/configtest.php
>  on line 454
>
> PHP Warning:  fsockopen(): Peer certificate CN=`kevla.org' did not match
> expected CN=`localhost' in /usr/share/squirrelmail.1423/src/c
> onfigtest.php on line 454
>
> PHP Warning:  fsockopen(): Failed to enable crypto in
> /usr/share/squirrelmail.1423/src/configtest.php on line 454
>
> PHP Warning:  fsockopen(): unable to connect to ssl://localhost:993
> (Unknown error) in /usr/share/squirrelmail.1423/src/configtest.php
>  on line 454
>
> PHP Warning:  fsockopen(): SSL operation failed with code 1. OpenSSL Error
> messages:
> error:1408F10B:SSL routines:ssl3_get_record:wrong version number in
> /usr/share/squirrelmail.1423/src/configtest.php on line 454
>
> PHP Warning:  fsockopen(): Failed to enable crypto in
> /usr/share/squirrelmail.1423/src/configtest.php on line 454
>
> PHP Warning:  fsockopen(): unable to connect to ssl://localhost:143
> (Unknown error) in /usr/share/squirrelmail.1423/src/configtest.php
>  on line 454

Those are all from configtest as it tries to learn about your system.  If
they don't show up under normal usage, I'd ignore.

> PHP Warning:  A non-numeric value encountered in
> /usr/share/squirrelmail.1423/functions/date.php on line 91

This happens when?  Can you get the input or other data related to how
this happens?

> PHP Notice:  Undefined variable: output in
> /usr/share/squirrelmail.1423/plugins/multiple_attachments/functions.php on
> line 119

Inconsequential notice that is fixed in newer version of the plugin

Cheers,
--
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php

Re: [SM-USERS] Squirrelmail 1.4.23-SVN Functionality

[Jay H. <jh...@ke...>]

A few notes below on the first issues I noted with the interface.  I disabled the 'preview-pane' plugin and resolved most of the issues. 
I'll show which ones below.  I don't use 'preview-pane' view, so it appears this plugin was still having some effect on the interface just
by being loaded/enabled in the ./conf.pl config, with no options checked in the display settings..

> Installed the above version dated 11.17.2021 and have it working. I am missing functionality in the interface and am wondering if this
might be due to not being able to patch a few of the plugins. Using this version ^^above^^, do the following plugins need to be
patched????: - msg_flags
> - reply_button
> - multiple_attachments

> I have the following plugins installed:
> add_address, calendar, demo, html_mail, jump_to_folder, msg_flags, sent_subfolders, squirrelspell, administrator compatibility, filters,
image_buttons, listcommands, multiple_attachments, reply_buttons, show_headers, test advanced_settings, compose_extras, folder_sizes,
mail_fetch, newmail, select_range, spamcop, translate, bug_report delete_move_next, fortune, info, message_details, preview_pane,
sent_confirmation, squirrel_logger, and view_as_html Not all these plugins are active...

> I can't see my interface issues being a result of the three plugins I can't patch. I also am missing the following functionality: *Note:
These are differences between 1.4.22 and 1.4.23-SVN, but I can't see the bulk of them being that most different between the two versions.

The problem with patching is it appears the fact these plugins have 'newer' file stamps, is causing patch to say the files don't exist.

Here is what I see when trying to patch msg_flags:

[root@dream msg_flags]# patch -p0 < patches/msg_flags-squirrelmail-1.4.20.diff
can't find file to patch at input line 3
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|--- ../../functions/mailbox_display.php.orig   2008-02-10 08:49:47.000000000 -0800
|+++ ../../functions/mailbox_display.php        2008-06-11 06:41:00.000000000 -0700
--------------------------
File to patch:

I am NO EXPERT here, looking for assistance on how to resolve, if I need too!

> 1. When viewing a folder/directory, I am missing the "Thread View" option .

Disabling preview_pane did not resolve this issue. If there if a config option I can't find one.

> 2. I can only reply to an email if I am viewing a Message List (folder/directory). Click the 'select' box and hit reply or reply all.

Disabling preview_pane resolved this issue.  I now have the ability to reply/forward an email when viewing it.

> 3. When I am viewing an email, I do not have the ability to 'Forward', 'Forward as Attachment', 'Reply', or 'Reply all'. The button
options which should be on the top right of the message are not there.  I can't think of a reason these would be missing from an updated
version of Squirrelmail.  They are important...

Disabling preview_pane resolved this issue.  I now have the ability to reply/forward an email when viewing it.

> 4. I also do not have the ability to cancel an email being edited. That button/option is also missing if it is supposed to exist.  Have
to
> just go select a folder to cancel out of the email...

Disabling preview_pane did not resolve this issue.  Same process as before to back out of editing an email is to click on another
folder/option.

On further investigation, this fixed itself.  Baffling...

> 5. When viewing an email in a message list, the options above the header field are missing the 'Previous' and 'Next' options. I do have
'Previous and Delete', 'Unread & Prev', Unread & Next', and' Delete & Next'.  Doesn't matter if the email is the first, last, or in the
middle of the list, no 'previous' or 'next' options...

Disabling preview_pane resolved this issue.  Those showed up when I disabled preview_pane, logged out, and logged back in.

> 6. When viewing an email, I don't have the "Message List" option to click on to go back to the message list.  I have to go select the
message list/folder on the left frame again to work around this.

Disabling preview_pane resolved this issue.  I now have the message list again when preview_pane was disabled.

> 7.  Here is a copy of my configtest results:
> SquirrelMail version:	1.4.23 [SVN]
> Config file version:	1.4.0
> Config file last modified:	19 November 2021 19:57:25
> Checking PHP configuration...
>     PHP version 7.3.33 OK.
>     Running as N/A(N/A) / N/A(N/A)
>     display_errors:
>     error_reporting: 22527
>     variables_order OK: GPCS.
>     PHP extensions OK. Dynamic loading is disabled.
> Checking paths...
>     Data dir OK.
>     Attachment dir OK.
>     Plugins OK.
>     Themes OK.
>     Default language OK.
>     Base URL detected as: https://X.X.X.X/webmail/src (location base autodetected)
> Checking outgoing mail service....
>     SMTP server OK (220 dream.kevla.org ESMTP)
> Checking IMAP service....
>     IMAP server ready (* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN AUTH=LOGIN]
Dovecot
> ready.)
>     Capabilities: * CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN AUTH=LOGIN
> Checking internationalization (i18n) settings...
>      gettext - Gettext functions are available. On some systems you must have appropriate system locales compiled. mbstring - Mbstring
functions are available.
>      recode - Recode functions are unavailable.
>      iconv - Iconv functions are available.
>      timezone - Webmail users can change their time zone settings.
> Checking database functions...
>     not using database functionality.
> Congratulations, your SquirrelMail setup looks fine to me!
> 8. I do have some errors in the PHP log:
> PHP Warning:  fsockopen(): Peer certificate CN=`kevla.org' did not match expected CN=`localhost' in /usr/share/squirrelmail.1423/src/c
onfigtest.php on line 454
> PHP Warning:  fsockopen(): Failed to enable crypto in /usr/share/squirrelmail.1423/src/configtest.php on line 454 PHP Warning:
fsockopen(): unable to connect to ssl://localhost:993 (Unknown error) in /usr/share/squirrelmail.1423/src/configtest.php
>  on line 454
> PHP Warning:  fsockopen(): Peer certificate CN=`kevla.org' did not match expected CN=`localhost' in /usr/share/squirrelmail.1423/src/c
onfigtest.php on line 454
> PHP Warning:  fsockopen(): Failed to enable crypto in /usr/share/squirrelmail.1423/src/configtest.php on line 454 PHP Warning:
fsockopen(): unable to connect to ssl://localhost:993 (Unknown error) in /usr/share/squirrelmail.1423/src/configtest.php
>  on line 454
> PHP Warning:  fsockopen(): SSL operation failed with code 1. OpenSSL Error messages: error:1408F10B:SSL routines:ssl3_get_record:wrong
version number in /usr/share/squirrelmail.1423/src/configtest.php on line 454 PHP Warning:  fsockopen(): Failed to enable crypto in
/usr/share/squirrelmail.1423/src/configtest.php on line 454 PHP Warning:  fsockopen(): unable to connect to ssl://localhost:143 (Unknown
error) in /usr/share/squirrelmail.1423/src/configtest.php
>  on line 454
> PHP Warning:  A non-numeric value encountered in /usr/share/squirrelmail.1423/functions/date.php on line 91 PHP Notice:  Undefined
variable: output in /usr/share/squirrelmail.1423/plugins/multiple_attachments/functions.php on line 119 -----
> squirrelmail-users mailing list
> Posting guidelines: http://squirrelmail.org/postingguidelines
> List address: squ...@li...
> List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options):
https://lists.sourceforge.net/lists/listinfo/squirrelmail-users

[SM-USERS] Squirrelmail 1.4.23-SVN Functionality

[Jay H. <jh...@ke...>]

Installed the above version dated 11.17.2021 and have it working.

I am missing functionality in the interface and am wondering if this might be due to not being able to patch a few of the plugins.

Using this version ^^above^^, do the following plugins need to be patched????:
- msg_flags
- reply_button
- multiple_attachments

I have the following plugins installed:
add_address, calendar, demo, html_mail, jump_to_folder, msg_flags, sent_subfolders, squirrelspell, administrator
compatibility, filters, image_buttons, listcommands, multiple_attachments, reply_buttons, show_headers, test
advanced_settings, compose_extras, folder_sizes, mail_fetch, newmail, select_range, spamcop, translate, bug_report
delete_move_next, fortune, info, message_details, preview_pane, sent_confirmation, squirrel_logger, and view_as_html

Not all these plugins are active...

I can't see my interface issues being a result of the three plugins I can't patch.

I also am missing the following functionality: *Note: These are differences between 1.4.22 and 1.4.23-SVN, but I can't see the bulk of
them being that most different between the two versions.

1. When viewing a folder/directory, I am missing the "Thread View" option .

2. I can only reply to an email if I am viewing a Message List (folder/directory). Click the 'select' box and hit reply or reply all.

3. When I am viewing an email, I do not have the ability to 'Forward', 'Forward as Attachment', 'Reply', or 'Reply all'. The button
options which should be on the top right of the message are not there.  I can't think of a reason these would be missing from an updated
version of Squirrelmail.  They are important...

4. I also do not have the ability to cancel an email being edited. That button/option is also missing if it is supposed to exist.  Have to
just go select a folder to cancel out of the email...

5. When viewing an email in a message list, the options above the header field are missing the 'Previous' and 'Next' options. I do have
'Previous and Delete', 'Unread & Prev', Unread & Next', and' Delete & Next'.  Doesn't matter if the email is the first, last, or in the
middle of the list, no 'previous' or 'next' options...

6. When viewing an email, I don't have the "Message List" option to click on to go back to the message list.  I have to go select the
message list/folder on the left frame again to work around this.

7.  Here is a copy of my configtest results:
SquirrelMail version:	1.4.23 [SVN]
Config file version:	1.4.0
Config file last modified:	19 November 2021 19:57:25
Checking PHP configuration...
    PHP version 7.3.33 OK.
    Running as N/A(N/A) / N/A(N/A)
    display_errors:
    error_reporting: 22527
    variables_order OK: GPCS.
    PHP extensions OK. Dynamic loading is disabled.
Checking paths...
    Data dir OK.
    Attachment dir OK.
    Plugins OK.
    Themes OK.
    Default language OK.
    Base URL detected as: https://X.X.X.X/webmail/src (location base autodetected)
Checking outgoing mail service....
    SMTP server OK (220 dream.kevla.org ESMTP)
Checking IMAP service....
    IMAP server ready (* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot
ready.)
    Capabilities: * CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN AUTH=LOGIN
Checking internationalization (i18n) settings...
     gettext - Gettext functions are available. On some systems you must have appropriate system locales compiled.
     mbstring - Mbstring functions are available.
     recode - Recode functions are unavailable.
     iconv - Iconv functions are available.
     timezone - Webmail users can change their time zone settings.
Checking database functions...
    not using database functionality.

Congratulations, your SquirrelMail setup looks fine to me!

8. I do have some errors in the PHP log:
PHP Warning:  fsockopen(): Peer certificate CN=`kevla.org' did not match expected CN=`localhost' in /usr/share/squirrelmail.1423/src/c
onfigtest.php on line 454

PHP Warning:  fsockopen(): Failed to enable crypto in /usr/share/squirrelmail.1423/src/configtest.php on line 454

PHP Warning:  fsockopen(): unable to connect to ssl://localhost:993 (Unknown error) in /usr/share/squirrelmail.1423/src/configtest.php
 on line 454

PHP Warning:  fsockopen(): Peer certificate CN=`kevla.org' did not match expected CN=`localhost' in /usr/share/squirrelmail.1423/src/c
onfigtest.php on line 454

PHP Warning:  fsockopen(): Failed to enable crypto in /usr/share/squirrelmail.1423/src/configtest.php on line 454

PHP Warning:  fsockopen(): unable to connect to ssl://localhost:993 (Unknown error) in /usr/share/squirrelmail.1423/src/configtest.php
 on line 454

PHP Warning:  fsockopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:1408F10B:SSL routines:ssl3_get_record:wrong version number in /usr/share/squirrelmail.1423/src/configtest.php on line 454

PHP Warning:  fsockopen(): Failed to enable crypto in /usr/share/squirrelmail.1423/src/configtest.php on line 454

PHP Warning:  fsockopen(): unable to connect to ssl://localhost:143 (Unknown error) in /usr/share/squirrelmail.1423/src/configtest.php
 on line 454

PHP Warning:  A non-numeric value encountered in /usr/share/squirrelmail.1423/functions/date.php on line 91

PHP Notice:  Undefined variable: output in /usr/share/squirrelmail.1423/plugins/multiple_attachments/functions.php on line 119

Re: [SM-USERS] Need help with Squirrelmail 1.4.23-SVN on Centos 8

[Paul L. <pa...@sq...>]

On Fri, November 19, 2021 3:08 am, Jay Hart wrote:
> Fixed the attachment directory write issue by setting setenforce to '0'.

Not a good long-term solution.  You can watch the audit log and use ls -Z
to view file/directory contexts.  Use tools like audit2allow to help you
figure out what policies you may need to change, but it's probably just a
matter of setting directory context correctly.  There are lots of helpful
tutorials for that online, and once you look into it, it's not (much)
harder than fixing the permissions you already did.

> Then I got held up on the IMAP server (dovecot) and had to set 'Secure
> IMAP (TLS)' setting to 'disabled'.

If it's on the same machine, and you're connecting on port 143, then that
is correct, you don't want TLS.  You only need that for over-network
connections to log in, usually on port 993.

> Does these sound ok?  Or, do I have another issue??
>
> Great news is I just logged into my new Squirrelmail setup!!!

Good job
-- 
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php

Re: [SM-USERS] Need help with Squirrelmail 1.4.23-SVN on Centos 8

[Jay H. <jh...@ke...>]

Fixed the attachment directory write issue by setting setenforce to '0'.

Then I got held up on the IMAP server (dovecot) and had to set 'Secure IMAP (TLS)' setting to 'disabled'.

Does these sound ok?  Or, do I have another issue??

Great news is I just logged into my new Squirrelmail setup!!!

Jay



> I am past this point now. Solved a bit more items. But now stuck on writing permissions to the attachment directory
> (/var/spool/squirrelmail/attach/)
>
> - main thing I fixed was the squirrelmail conf file in the /etc/httpd directories.
>
> Jay
>
>> Good Evening,
>>
>> Problem: Squirrelmail will not run due to likely permissions issue on the server.
>>
>> I am trying to get Squirrelmail running on a Centos 8 server. I have Centos 8 fully patched and running on stream.  Using Apache,
>> dovecot,
>> SA, and clamav for email.  I have all those pieces installed and working, just need the webmail app to work and I should be GTG.
>>
>> PHP is version 7.3.33, and I installed the 1.4.23-SVN gz file dated 11-17-2021.
>>
>> I ran conf.pl and updated the parameters for this particular server.
>>
>> The web Document root for Apache is /www. Squirrelmail is installed in /usr/share/squirrelmail.1423
>>
>> I have a squirrelmail config file at /etc/httpd/conf.module.d called 16-squirrelmail.conf
>> Contents of that file are:
>> #
>> # SquirrelMail is a webmail package written in PHP.
>> #
>>
>> Alias /webmail "/usr/share/squirrelmail.1423"
>>
>> #<Directory "/usr/share/squirrelmail.1423/plugins/squirrelspell/modules">
>> <Directory "/webmail">
>>  AllowOverride None
>>  Options Indexes Multiviews
>>  Require all granted
>> </Directory>
>>
>> # this section makes squirrelmail use https connections only, for this you
>> # need to have mod_ssl installed. If you want to use unsecure http
>> # connections, just remove this section:
>> #6-12-2020 commented out next five lines to test sqmail in http mode only
>> <Directory /usr/share/squirrelmail.1423>
>>   RewriteEngine  on
>>   RewriteCond    %{HTTPS} !=on
>>   RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
>> </Directory>
>>
>> I do not know if this ^^^file^^^ needs to be configured more.
>>
>> My issue:  When trying to run the configtest.php file, I get the following error in the httpd/ssl_error.log file
>> [Thu Nov 18 18:12:41.534518 2021] [authz_core:error] [pid 9493:tid 140018726373120] [client 10.20.30.61:38104] AH01630: client denied by
>> server configuration: /usr/share/squirrelmail.1423/src/configtest.php
>>
>> So, I think my issue with Squirrelmail is a permissions issue and I've been trying to solve that today.  Any changes to any /etc/httpd
>> conf files result in a restart for httpd for testing.
>>
>> Can someone give me a few other pointers to look at, and also provide any insight into if the file contents I have provided are correct.
>> I can also provide additional data as needed.
>>
>> Thanks,
>>
>> Jay
>>
>>
>>
>>
>> -----
>> squirrelmail-users mailing list
>> Posting guidelines: http://squirrelmail.org/postingguidelines
>> List address: squ...@li...
>> List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
>> List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
>>
>
>
>
>
> -----
> squirrelmail-users mailing list
> Posting guidelines: http://squirrelmail.org/postingguidelines
> List address: squ...@li...
> List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
> List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
>

Re: [SM-USERS] Need help with Squirrelmail 1.4.23-SVN on Centos 8

[Paul L. <pa...@sq...>]

On Fri, November 19, 2021 2:21 am, Jay Hart wrote:
> I am past this point now. Solved a bit more items. But now stuck on
> writing permissions to the attachment directory
> (/var/spool/squirrelmail/attach/)

Just watch your log file, walk the directory structure to your
data/attachments directories looking at permissions.  If SELinux is
active, watch its logs and file/directory contexts also.  Make sure not to
open up permissions more than the minimum required.

There are lots of past mailing list posts you can refer to as well as:

https://squirrelmail.org/wiki/index.php?page=DataAndAttachmentsDirectories

Cheers,
-- 
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php

Re: [SM-USERS] Need help with Squirrelmail 1.4.23-SVN on Centos 8

[Jay H. <jh...@ke...>]

I am past this point now. Solved a bit more items. But now stuck on writing permissions to the attachment directory
(/var/spool/squirrelmail/attach/)

- main thing I fixed was the squirrelmail conf file in the /etc/httpd directories.

Jay

> Good Evening,
>
> Problem: Squirrelmail will not run due to likely permissions issue on the server.
>
> I am trying to get Squirrelmail running on a Centos 8 server. I have Centos 8 fully patched and running on stream.  Using Apache, dovecot,
> SA, and clamav for email.  I have all those pieces installed and working, just need the webmail app to work and I should be GTG.
>
> PHP is version 7.3.33, and I installed the 1.4.23-SVN gz file dated 11-17-2021.
>
> I ran conf.pl and updated the parameters for this particular server.
>
> The web Document root for Apache is /www. Squirrelmail is installed in /usr/share/squirrelmail.1423
>
> I have a squirrelmail config file at /etc/httpd/conf.module.d called 16-squirrelmail.conf
> Contents of that file are:
> #
> # SquirrelMail is a webmail package written in PHP.
> #
>
> Alias /webmail "/usr/share/squirrelmail.1423"
>
> #<Directory "/usr/share/squirrelmail.1423/plugins/squirrelspell/modules">
> <Directory "/webmail">
>  AllowOverride None
>  Options Indexes Multiviews
>  Require all granted
> </Directory>
>
> # this section makes squirrelmail use https connections only, for this you
> # need to have mod_ssl installed. If you want to use unsecure http
> # connections, just remove this section:
> #6-12-2020 commented out next five lines to test sqmail in http mode only
> <Directory /usr/share/squirrelmail.1423>
>   RewriteEngine  on
>   RewriteCond    %{HTTPS} !=on
>   RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
> </Directory>
>
> I do not know if this ^^^file^^^ needs to be configured more.
>
> My issue:  When trying to run the configtest.php file, I get the following error in the httpd/ssl_error.log file
> [Thu Nov 18 18:12:41.534518 2021] [authz_core:error] [pid 9493:tid 140018726373120] [client 10.20.30.61:38104] AH01630: client denied by
> server configuration: /usr/share/squirrelmail.1423/src/configtest.php
>
> So, I think my issue with Squirrelmail is a permissions issue and I've been trying to solve that today.  Any changes to any /etc/httpd
> conf files result in a restart for httpd for testing.
>
> Can someone give me a few other pointers to look at, and also provide any insight into if the file contents I have provided are correct.
> I can also provide additional data as needed.
>
> Thanks,
>
> Jay
>
>
>
>
> -----
> squirrelmail-users mailing list
> Posting guidelines: http://squirrelmail.org/postingguidelines
> List address: squ...@li...
> List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
> List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
>

[SM-USERS] Need help with Squirrelmail 1.4.23-SVN on Centos 8

[Jay H. <jh...@ke...>]

Good Evening,

Problem: Squirrelmail will not run due to likely permissions issue on the server.

I am trying to get Squirrelmail running on a Centos 8 server. I have Centos 8 fully patched and running on stream.  Using Apache, dovecot,
SA, and clamav for email.  I have all those pieces installed and working, just need the webmail app to work and I should be GTG.

PHP is version 7.3.33, and I installed the 1.4.23-SVN gz file dated 11-17-2021.

I ran conf.pl and updated the parameters for this particular server.

The web Document root for Apache is /www. Squirrelmail is installed in /usr/share/squirrelmail.1423

I have a squirrelmail config file at /etc/httpd/conf.module.d called 16-squirrelmail.conf
Contents of that file are:
#
# SquirrelMail is a webmail package written in PHP.
#

Alias /webmail "/usr/share/squirrelmail.1423"

#<Directory "/usr/share/squirrelmail.1423/plugins/squirrelspell/modules">
<Directory "/webmail">
 AllowOverride None
 Options Indexes Multiviews
 Require all granted
</Directory>

# this section makes squirrelmail use https connections only, for this you
# need to have mod_ssl installed. If you want to use unsecure http
# connections, just remove this section:
#6-12-2020 commented out next five lines to test sqmail in http mode only
<Directory /usr/share/squirrelmail.1423>
  RewriteEngine  on
  RewriteCond    %{HTTPS} !=on
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</Directory>

I do not know if this ^^^file^^^ needs to be configured more.

My issue:  When trying to run the configtest.php file, I get the following error in the httpd/ssl_error.log file
[Thu Nov 18 18:12:41.534518 2021] [authz_core:error] [pid 9493:tid 140018726373120] [client 10.20.30.61:38104] AH01630: client denied by
server configuration: /usr/share/squirrelmail.1423/src/configtest.php

So, I think my issue with Squirrelmail is a permissions issue and I've been trying to solve that today.  Any changes to any /etc/httpd
conf files result in a restart for httpd for testing.

Can someone give me a few other pointers to look at, and also provide any insight into if the file contents I have provided are correct. 
I can also provide additional data as needed.

Thanks,

Jay

Re: [SM-USERS] SM and PHP8

[James B. B. <by...@ha...>]

On Sun, October 24, 2021 13:42, Paul Lesniewski wrote:
>
> You can't look at the code running on your own server?
>

./functions/strings.php:$version = '1.4.23 [SVN]';


-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
   Unencrypted messages have no legal claim to privacy
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:By...@Ha...
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

Re: [SM-USERS] SM and PHP8

[Paul L. <pa...@sq...>]

On Sun, October 24, 2021 5:29 pm, James B. Byrne wrote:
>
>
> On Sun, October 24, 2021 12:28, Paul Lesniewski wrote:
>>
>>
>> On Sun, October 24, 2021 4:11 pm, James B. Byrne via squirrelmail-users
>> wrote:
>>> I am testing a FreeBSD package for squirrelmail built for PHP8
>>
>> You need to indicate what version
>>
>
> This is all the info that I can get.  The package iteself will not open so
> I
> cannot tell what version SM thinks it is.

You can't look at the code running on your own server?

In any case, the problem is almost certainly that the package is built on
slightly outdated upstream code.

-- 
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php

Re: [SM-USERS] SM and PHP8

[James B. B. <by...@ha...>]

On Sun, October 24, 2021 12:28, Paul Lesniewski wrote:
>
>
> On Sun, October 24, 2021 4:11 pm, James B. Byrne via squirrelmail-users
> wrote:
>> I am testing a FreeBSD package for squirrelmail built for PHP8
>
> You need to indicate what version
>

This is all the info that I can get.  The package iteself will not open so I
cannot tell what version SM thinks it is.  However, the packaged version for
php7.3 says this:


SquirrelMail version 1.4.23 [SVN]
By the SquirrelMail Project Team


# pkg info squirrelmail-php80-20200422
squirrelmail-php80-20200422
Name           : squirrelmail-php80
Version        : 20200422
Installed on   : Sun Oct 24 11:41:07 2021 EDT
Origin         : mail/squirrelmail
Architecture   : FreeBSD:12:*
Prefix         : /usr/local
Categories     : mail www
Licenses       : GPLv2+
Maintainer     : uz...@uz...
WWW            : http://www.squirrelmail.org/
Comment        : Webmail system which accesses mail over IMAP
Options        :
	DATABASE       : off
	DOCS           : on
	LDAP           : off
Annotations    :
	cpe            : cpe:2.3:a:squirrelmail:squirrelmail:20200422:::::freebsd12:x64
	flavor         : php80
	repo_type      : binary
	repository     : FreeBSD
Flat size      : 2.92MiB
Description    :
SquirrelMail is a standards-based webmail package written in PHP.
It includes built-in pure PHP support for the IMAP and SMTP protocols,
and all pages render in pure HTML 4.0 (with no Javascript required) for
maximum compatibility across browsers. It has very few requirements
and is very easy to configure and install. SquirrelMail has a all
the functionality you would want from an email client, including
strong MIME support, address books, and folder manipulation

WWW: http://www.squirrelmail.org/



-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
   Unencrypted messages have no legal claim to privacy
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:By...@Ha...
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

Re: [SM-USERS] SM and PHP8

[Paul L. <pa...@sq...>]

On Sun, October 24, 2021 4:11 pm, James B. Byrne via squirrelmail-users
wrote:
> I am testing a FreeBSD package for squirrelmail built for PHP8

You need to indicate what version

> I get this
> error when I connect to the test server:
>
> [Sun Oct 24 12:01:56.267457 2021] [php:error] [pid 13492] [client
> 216.185.71.41:15698] PHP Fatal error:  Array and string offset access
> syntax
> with curly braces is no longer supported in
> /usr/local/www/squirrelmail/functions/strings.php on line 634

Please show that line (and a few lines before/after it).  I suspect this
is a problem in the FreeBSD package and not in our current code, but I can
take a look if you give some context.

> Is squirrelmail usable with PHP8?

Yes.

-- 
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php

[SM-USERS] SM and PHP8

[James B. B. <by...@ha...>]

I am testing a FreeBSD package for squirrelmail built for PHP8.  I get this
error when I connect to the test server:

[Sun Oct 24 12:01:56.267457 2021] [php:error] [pid 13492] [client
216.185.71.41:15698] PHP Fatal error:  Array and string offset access syntax
with curly braces is no longer supported in
/usr/local/www/squirrelmail/functions/strings.php on line 634

Is squirrelmail usable with PHP8?

-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
   Unencrypted messages have no legal claim to privacy
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:By...@Ha...
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

Re: [SM-USERS] squirrelmail CVE-2020-14933

[James B. B. <by...@ha...>]

On Fri, October 15, 2021 14:37, Paul Lesniewski wrote:

>
> This was on my radar, but given your situation, I went ahead and contacted
> both NIST and MITRE just now.  If you have the FreeBSD maintainer's
> contact info, I can work with that person too, but I don't understand what
> you need from that person?  Maybe you want them to invalidate/reject the
> ticket on their bug tracker?
>

>From what I can gather from the NIST website each issuer of a version of the
software, in other words the packaged version (apt, yum, rpm, pkg, etc.) can
individually notify the NIST, via email, that their version/package does not
have the vulnerability.  This is additional to the development team.

I speculate that this practice allows distribution specific patches to be
recorded against the CVE that are created before the upstream developers
respond.

I looked up the details of the person who wrote the message to openwall and
their github account.  They have/had a fork of SM on github that they claimed
to patch to deal with security issues.  In the message used to originate this
CVE the claimed to have contacted you directly respecting this matter before
they posted on openwall.

Thanks for you attention to this.  I appreciate it very much.


-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
   Unencrypted messages have no legal claim to privacy
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:By...@Ha...
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

Re: [SM-USERS] squirrelmail CVE-2020-14933

[Paul L. <pa...@sq...>]

On Thu, October 14, 2021 10:09 pm, Paul Lesniewski wrote:
> On Thu, October 14, 2021 7:28 pm, James B. Byrne via squirrelmail-users
> wrote:
>> See: https://nvd.nist.gov/vuln/detail/CVE-2020-14933#match-5399106
>>
>> Has this been patched?
>
> There is no vulnerability here.  Per OWASP:
>
> https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection
>
> =====
> In order to successfully exploit a PHP Object Injection vulnerability two
> conditions must be met:
>
>   The application must have a class which implements a PHP magic method
> (such as __wakeup or __destruct) that can be used to carry out malicious
> attacks, or to start a “POP chain”.
>   All of the classes used during the attack must be declared when the
> vulnerable unserialize() is being called, otherwise object autoloading
> must be supported for such classes.
> =====
>
> SquirrelMail doesn't qualify for that scenario.  Whoever accepted/assigned
> this CVE seems to have only taken the word of the reporter, who has no
> proof that I know of that there is any security issue.  If anyone knows
> differently, please get in touch.
>
> I'll put something on our /security page to reflect the situation.

See: https://squirrelmail.org/security/issue.php?d=2021-10-15

-- 
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php

Re: [SM-USERS] squirrelmail CVE-2020-14933

[Paul L. <pa...@sq...>]

On Fri, October 15, 2021 2:36 pm, James B. Byrne wrote:
> n Thu, October 14, 2021 18:09, Paul Lesniewski wrote:
>> On Thu, October 14, 2021 7:28 pm, James B. Byrne via squirrelmail-users
>> wrote:
>>> See: https://nvd.nist.gov/vuln/detail/CVE-2020-14933#match-5399106
>>>
>>> Has this been patched?
>>
>> There is no vulnerability here.  Per OWASP:
>>
>> https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection
>>
>> =====
>> In order to successfully exploit a PHP Object Injection vulnerability
>> two
>> conditions must be met:
>>
>>   The application must have a class which implements a PHP magic method
>> (such as __wakeup or __destruct) that can be used to carry out malicious
>> attacks, or to start a �POP chain�.
>>   All of the classes used during the attack must be declared when the
>> vulnerable unserialize() is being called, otherwise object autoloading
>> must be supported for such classes.
>> =====
>>
>> SquirrelMail doesn't qualify for that scenario.  Whoever
>> accepted/assigned
>> this CVE seems to have only taken the word of the reporter, who has no
>> proof that I know of that there is any security issue.  If anyone knows
>> differently, please get in touch.
>>
>> I'll put something on our /security page to reflect the situation.
>>
>> Cheers,
>
> My problem is that I am in the midst of a PCI audit; and we use
> SquirrelMail;
> and this CVE is an issue with them.  I doubt that either I or anyone else
> can
> convince the auditors to ignore what is on the NIST website identified as
> a
> Critical error respecting SM.  That said, I will show them your response.
> One
> never knows what can happen when dealing with people having much authority
> and
> little knowledge.
>
> I checked some Linux distros and the seem to have issued some sort of
> patch to
> deal with this.  I have seen a request made to the FreeBSD bug tracker to
> deal
> with this as well.
>
> I need something done to address this CVE, either by having it removed
> from
> NIST as invalid or through some sort of patch, meaningless or not, that
> convinces NIST that the issue is resolved.  That probably requires a new
> CPE,
> and that will no doubt require the FreeBSD port maintainer to issue a
> version
> upgrade.  Otherwise  I am going to be forced into an unwanted, and
> evidently
> unnecessary, migration.  For which I have neither the time nor resources
> to
> effect.

This was on my radar, but given your situation, I went ahead and contacted
both NIST and MITRE just now.  If you have the FreeBSD maintainer's
contact info, I can work with that person too, but I don't understand what
you need from that person?  Maybe you want them to invalidate/reject the
ticket on their bug tracker?

-- 
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php

Re: [SM-USERS] squirrelmail CVE-2020-14933

[James B. B. <by...@ha...>]

On Fri, October 15, 2021 10:36, James B. Byrne via squirrelmail-users wrote:
> n Thu, October 14, 2021 18:09, Paul Lesniewski wrote:
>> On Thu, October 14, 2021 7:28 pm, James B. Byrne via squirrelmail-users
>> wrote:
>>> See: https://nvd.nist.gov/vuln/detail/CVE-2020-14933#match-5399106
>>>
>>> Has this been patched?
>>
>> There is no vulnerability here.  Per OWASP:
>>
>> https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection
>>
>> =====
>> In order to successfully exploit a PHP Object Injection vulnerability two
>> conditions must be met:
>>
>>   The application must have a class which implements a PHP magic method
>> (such as __wakeup or __destruct) that can be used to carry out malicious
>> attacks, or to start a “POP chain”.
>>   All of the classes used during the attack must be declared when the
>> vulnerable unserialize() is being called, otherwise object autoloading
>> must be supported for such classes.
>> =====
>>
>> SquirrelMail doesn't qualify for that scenario.  Whoever accepted/assigned
>> this CVE seems to have only taken the word of the reporter, who has no
>> proof that I know of that there is any security issue.  If anyone knows
>> differently, please get in touch.
>>

This is the CVE origin (https://www.openwall.com/lists/oss-security/2020/06/20/1).

Date: Sat, 20 Jun 2020 10:47:01 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security <oss-security@...ts.openwall.com>
Subject: Squirrelmail: Use of unserialize() on user data

Hi,

The PHP-based webmail tool Squirrelmail uses unserialize() for
untrusted data.

unserialize() is generally not considered safe for this, PHP does not
treat memory safety issues in unserialize as security bugs since a
while and there are other attacks.

In compose.php [1] you can see that squirrelmail uses unserialize on
$mailtodata, which directly comes from a GET variable.

This data usually comes from the mailto.php script which opens a mail
compose interface with a passed mail address.

I've written a patch to convert this to json_encode/json_decode [2].

Unfortunately this is not the only place using unserialize on untrusted
data, later in the same file you can see that $attachments is also
parsed with unserialize, which comes from POST data, thus also
user-controlled. Trying to patch this with a similar strategy broke the
attachment functionality. If someone else wants to give it a try happy
to accept patches. (I'm collecting squirrelmail patches that avoid
warnings, add compatibility to latest PHP versions and fix security
issues here [3]. For reasons unclear to me the squirrelmail developers
only irregularly answer when I send patches and seem to ignore some of
these issues. While they haven't made a release in a long time, they
still sometimes fix security issues in their svn repo.)

It is unclear to me how big of a risk these issues are. There are some
attack strategies on unserialize that involve constructors of objects
[4], but the squirrelmail code doesn't have many objects, so it is
unclear if this is a feasible attack strategy.

I had reported the unserialize security issue to Squirrelmail on May
23rd. Unfortunately I haven't received a reply.



[1]
https://svn.code.sf.net/p/squirrelmail/code/branches/SM-1_4-STABLE/squirrelmail/src/compose.php
[2]
https://github.com/hannob/squirrelpatches/blob/main/patches/squirrelmail-security-mailto-avoid-unserialize.diff
[3] https://github.com/hannob/squirrelpatches
[4] https://blog.ripstech.com/2018/php-object-injection/
-- 
Hanno Böck
https://hboeck.de/


>> I'll put something on our /security page to reflect the situation.
>>
>> Cheers,
>
> My problem is that I am in the midst of a PCI audit; and we use SquirrelMail;
> and this CVE is an issue with them.  I doubt that either I or anyone else can
> convince the auditors to ignore what is on the NIST website identified as a
> Critical error respecting SM.  That said, I will show them your response.  One
> never knows what can happen when dealing with people having much authority and
> little knowledge.
>
> I checked some Linux distros and the seem to have issued some sort of patch to
> deal with this.  I have seen a request made to the FreeBSD bug tracker to deal
> with this as well.
>
> I need something done to address this CVE, either by having it removed from
> NIST as invalid or through some sort of patch, meaningless or not, that
> convinces NIST that the issue is resolved.  That probably requires a new CPE,
> and that will no doubt require the FreeBSD port maintainer to issue a version
> upgrade.  Otherwise  I am going to be forced into an unwanted, and evidently
> unnecessary, migration.  For which I have neither the time nor resources to
> effect.
>
> Regards,
>
>


-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
   Unencrypted messages have no legal claim to privacy
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:By...@Ha...
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

Re: [SM-USERS] squirrelmail CVE-2020-14933

[James B. B. <by...@ha...>]

On Fri, October 15, 2021 10:36, James B. Byrne via squirrelmail-users wrote:
> n Thu, October 14, 2021 18:09, Paul Lesniewski wrote:
>> On Thu, October 14, 2021 7:28 pm, James B. Byrne via squirrelmail-users
>> wrote:
>>> See: https://nvd.nist.gov/vuln/detail/CVE-2020-14933#match-5399106
>>>
>>> Has this been patched?
>>
>> There is no vulnerability here.  Per OWASP:
>>
>> https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection
>>
. . .
>>
>> SquirrelMail doesn't qualify for that scenario.  Whoever accepted/assigned
>> this CVE seems to have only taken the word of the reporter, who has no
>> proof that I know of that there is any security issue.  If anyone knows
>> differently, please get in touch.
>>
>> I'll put something on our /security page to reflect the situation.
>>
>> Cheers,
>
. . .
>
> I need something done to address this CVE, either by having it removed from
> NIST as invalid or through some sort of patch, meaningless or not, that
> convinces NIST that the issue is resolved.  That probably requires a new CPE,
> and that will no doubt require the FreeBSD port maintainer to issue a version
> upgrade.  Otherwise  I am going to be forced into an unwanted, and evidently
> unnecessary, migration.  For which I have neither the time nor resources to
> effect.
>
> Regards,
>
>

>From the NIST website (https://nvd.nist.gov/vuln/vendor-comments):

"Software development organizations can submit official comments by contacting
NVD staff ( nv...@ni...). The capability exists both for organizations to
manually submit comments and for organizations to log into NVD to issue and
modify comments themselves. We recommend the log in capability for
organizations that are affected by more than a few CVE vulnerabilities."

A developer comment sent to NIST to the effect that SM is not vulnerable would
probably satisfy the auditors (I hope).  If you would be so kind.

Regards,

-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
   Unencrypted messages have no legal claim to privacy
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:By...@Ha...
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

Re: [SM-USERS] squirrelmail CVE-2020-14933

[James B. B. <by...@ha...>]

n Thu, October 14, 2021 18:09, Paul Lesniewski wrote:
> On Thu, October 14, 2021 7:28 pm, James B. Byrne via squirrelmail-users
> wrote:
>> See: https://nvd.nist.gov/vuln/detail/CVE-2020-14933#match-5399106
>>
>> Has this been patched?
>
> There is no vulnerability here.  Per OWASP:
>
> https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection
>
> =====
> In order to successfully exploit a PHP Object Injection vulnerability two
> conditions must be met:
>
>   The application must have a class which implements a PHP magic method
> (such as __wakeup or __destruct) that can be used to carry out malicious
> attacks, or to start a “POP chain”.
>   All of the classes used during the attack must be declared when the
> vulnerable unserialize() is being called, otherwise object autoloading
> must be supported for such classes.
> =====
>
> SquirrelMail doesn't qualify for that scenario.  Whoever accepted/assigned
> this CVE seems to have only taken the word of the reporter, who has no
> proof that I know of that there is any security issue.  If anyone knows
> differently, please get in touch.
>
> I'll put something on our /security page to reflect the situation.
>
> Cheers,

My problem is that I am in the midst of a PCI audit; and we use SquirrelMail;
and this CVE is an issue with them.  I doubt that either I or anyone else can
convince the auditors to ignore what is on the NIST website identified as a
Critical error respecting SM.  That said, I will show them your response.  One
never knows what can happen when dealing with people having much authority and
little knowledge.

I checked some Linux distros and the seem to have issued some sort of patch to
deal with this.  I have seen a request made to the FreeBSD bug tracker to deal
with this as well.

I need something done to address this CVE, either by having it removed from
NIST as invalid or through some sort of patch, meaningless or not, that
convinces NIST that the issue is resolved.  That probably requires a new CPE,
and that will no doubt require the FreeBSD port maintainer to issue a version
upgrade.  Otherwise  I am going to be forced into an unwanted, and evidently
unnecessary, migration.  For which I have neither the time nor resources to
effect.

Regards,


-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
   Unencrypted messages have no legal claim to privacy
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:By...@Ha...
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

Re: [SM-USERS] squirrelmail CVE-2020-14933

[Paul L. <pa...@sq...>]

On Thu, October 14, 2021 7:28 pm, James B. Byrne via squirrelmail-users
wrote:
> See: https://nvd.nist.gov/vuln/detail/CVE-2020-14933#match-5399106
>
> Has this been patched?

There is no vulnerability here.  Per OWASP:

https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection

=====
In order to successfully exploit a PHP Object Injection vulnerability two
conditions must be met:

  The application must have a class which implements a PHP magic method
(such as __wakeup or __destruct) that can be used to carry out malicious
attacks, or to start a “POP chain”.
  All of the classes used during the attack must be declared when the
vulnerable unserialize() is being called, otherwise object autoloading
must be supported for such classes.
=====

SquirrelMail doesn't qualify for that scenario.  Whoever accepted/assigned
this CVE seems to have only taken the word of the reporter, who has no
proof that I know of that there is any security issue.  If anyone knows
differently, please get in touch.

I'll put something on our /security page to reflect the situation.

Cheers,
-- 
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php

Re: [SM-USERS] squirrelmail CVE-2020-14933

[Swaglord B. <swa...@gm...>]

I need to get back in track of a long time now I've not been online based
on some personal issues. I wish to learn back all I have lost.

On Thu, Oct 14, 2021, 8:47 PM James B. Byrne via squirrelmail-users <
squ...@li...> wrote:

> See: https://nvd.nist.gov/vuln/detail/CVE-2020-14933#match-5399106
>
> Has this been patched?
>
>
> --
> ***          e-Mail is NOT a SECURE channel          ***
>         Do NOT transmit sensitive data via e-Mail
>    Unencrypted messages have no legal claim to privacy
>  Do NOT open attachments nor follow links sent by e-Mail
>
> James B. Byrne                mailto:By...@Ha...
> Harte & Lyne Limited          http://www.harte-lyne.ca
> 9 Brockley Drive              vox: +1 905 561 1241
> Hamilton, Ontario             fax: +1 905 561 0757
> Canada  L8E 3C3
>
>
>
> -----
> squirrelmail-users mailing list
> Posting guidelines: http://squirrelmail.org/postingguidelines
> List address: squ...@li...
> List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
> List info (subscribe/unsubscribe/change options):
> https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
>

[SM-USERS] squirrelmail CVE-2020-14933

[James B. B. <by...@ha...>]

See: https://nvd.nist.gov/vuln/detail/CVE-2020-14933#match-5399106

Has this been patched?


-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
   Unencrypted messages have no legal claim to privacy
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:By...@Ha...
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

Re: [SM-USERS] I keep getting logged out of webmail

[James B. B. <by...@ha...>]

On Wed, May 12, 2021 01:51, Paul Lesniewski wrote:

> Also as previously suggested, please indicate what you see on screen and
> where -- is the folder list showing a "you must be logged in" error?  What
> happens if you right-click that frame and select H and then R?
>

I have pinned a note to my desktop to remind me to do this at the next
opportunity.

-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
   Unencrypted messages have no legal claim to privacy
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:By...@Ha...
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3