On Tue, Oct 5, 2010 at 9:28 AM, Moritz Naumann <security@xxxxxxxxxxxxxxxxxx> wrote: > Hi, > > Squirrelmail plugin 'Virtual Keyboard' version 0.9.1 and lower is > vulnerable to cross site scripting (XSS). > > The vkeyboard.php script fails to sanitize the value of HTTP GET > parameter 'passformname' which the script stores in a variable of the > same name and outputs (unmodified) into a HTML document later. As such, > it is possible to inject client-evaluated HTML and script code into the > output generated by the application. > > For proof of concept, accessing the following location ([Base_URL] > refers to a Squirrelmail installation with a vulnerable version of the > 'Virtual Keyboard' plugin) results in a javascript generated alert > windows reading 'XSS' popping up: >> [Base_URL]/plugins/vkeyboard/vkeyboard.php?passformname=%22%3E%3Cscript%3Ealert%28%27XSS%27%29;%3C/script%3E%3Cscript%3E/*%20 > > 'Virtual Keyboard' installations can be found using this 'Google dork': >> http://google.com/search?hl=en&safe=off&filter=0&q=inurl%3A%22vkeyboard.php%22 > > This vulnerability was originally reported in early May 2010. > A suitable update fixing this issue, Virtual Keyboard v0.9.2 for > Squrrelmail 1.4.x, has been provided to the Squirrelmail developers and > me by Daniel Kobayashi Imori of Bastion Systems (the original developer > of this plugin) in early June 2010 and is attached to this email - > thanks Daniel. The Squirrelmail team has not yet made it to update this > plugin in their repository: > http://squirrelmail.org/plugin_view.php?id=159 As a member of the SquirrelMail development team, I am quite displeased with this announcement. The reporter did not check in with us before it was made. The truth of the matter, of which the reporter seems ignorant and apparently didn't bother to verify is as follows: The version with a fix was in fact sent to me personally, but not, as the reporter claims, to all the "SquirrelMail developers." That version was not up to spec in several regards, and so I encouraged the plugin's author to work on a more up-to-date version. The author responded with interest, but after another correspondence regarding the quality of the plugin's code, the author failed to reply. As far as I was concerned, the issue was waiting for the author to respond to me and/or the issue reporter with an updated status of the plugin. Early on, the reporter (Moritz Naumann) sent more than one email prodding for the chance to publish the vulnerability, which to me sounded quite impatient and thus, as far as I could tell, eager to take credit for the discovery rather than help resolve the situation. After the author fell silent, Moritz also fell silent and gave no indication that he planned to make this announcement. While we are greatly interested in providing only secure plugins to our community, the SquirrelMail developers do not take ultimate responsibility for any third party plugins and moreover take VERY UNKINDLY to this kind of impatient, uncommunicative and irresponsible issue publishing. > So this is the first public release I am aware of. Great, so you've made a big name for yourself now. -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php
