Re: FWD: Squirrelmail XSS + SQL security bug?

To: "Jeroen van Wolffelaar" <jeroen@wolffelaar.nl>
Cc: "Rom?n Medina" <roman@rs-labs.com>, squirrelmail@packages.debian.org, debian-security@lists.debian.org, debian-qa@lists.debian.org, kink@squirrelmail.org
Subject: Re: FWD: Squirrelmail XSS + SQL security bug?
From: Román Medina <roman@rs-labs.com>
Date: Tue, 6 Jul 2004 12:47:21 +0200 (CEST)
Message-id: <[🔎] 42315.194.224.100.28.1089110841.squirrel@194.224.100.28>
In-reply-to: <[🔎] 20040706092809.GH9109@A-Eskwadraat.nl>
References: <[🔎] 20040705190523.GB32748@pgw.dmz> <[🔎] 20040705203845.GC1881@alcor.net> <[🔎] 20040706031511.GC4351@pgw.dmz> <[🔎] 29565.194.224.100.28.1089103726.squirrel@194.224.100.28> <[🔎] 20040706092809.GH9109@A-Eskwadraat.nl>

Hi Jeroen,

> Sam, could you please forward you incoming mail about security issues to
> someone who has more time to look into it?

Well, I wouldn't lose time doing so. Better to upgrade to latest 1.4.3a.
Yes, contrary to the Debian "backporting" policy, but in this case there
are sufficient reasons to make the exception (and it's less "intrusive"
than completely removing SM from Woody, as I listened before). I wouldn't
trust an old 1.2.6 version; not without some guarantees than SM team would
provide a detailed info of applied security fixes. And that's not the
case, as stated by Matt. In this case, I agree with him: SM team should
make a little effort to document such bugs instead of silently patching. I
told this to SM developpers when I contacted them one month ago. Security
through obscurity is not good at all.

>> I disclosed in a _detailed way_ several bugs:
>> [RS-2004-1] http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt
>
> This wasn't reported in the Debian BTS.

I was unaware of Debian BTS when I reported the vuln. Anyway, it should be
sufficient to notify it to security email address. People who reports
security bugs doesn't necesarily need to know about bug tracking systems
or the way a "vendor" archives or deals with a reported bug.

Moreover, security teams should monitorize public security mailing-lists
like Bugtraq. So if the usual communication channels fail (for instance,
e-mail to security address), at least you are aware of public vulns) (and
then you can feed your internal / external BTS, or act as whatever you
want).

> I (the person uploading that version) was not aware of this, partly
> because you didn't file a bug in the BTS about this. Note however that

As I have told, to "file a bug" is not my duty (although I would have made
it if I had known of BTS' existence). I reported the bug to SM developpers
(_before_ making it public, that's important, and letting sufficient time
for the bug to be fixed) and also to Debian maintainer _as a courtesy_ (I
don't have the time nor resources to notify all distros which use SM; I
did the exception with Debian because I use Debian and I like it).

>> - I don't know whether or not the old XSS bugs which I reported to
>> affect
>> Debian Woody (read RS-2004-1) are still uncovered. I'm afraid it is...
>
> Thanks for the direct pointer, I assume you did contact
> team@security.debian.org about this?

I should check my outbox to verify this (I think I placed
security@debian.org in cc). In all cases:
- You can assume _at least_ Debian maintainer (Sam) was notified.
- I recall to have talked about this with Matt, so I assume he is / was
also aware of this. Indeed he replied in a public mailing-list to my
advisory post so he should read it:
http://seclists.org/lists/fulldisclosure/2004/Jun/0029.html

> Also, statements like this won't help you very much if you want a
> serious resonse:
>
> | Please, learn the lesson and repeat with me: "Debian stable software
> | is not always as secure as we usually thought". Oddly enough, Debian
> | unstable was free of these bugs :-)

This is my personal opinion and I'm free to think like this. I'm not
imposing anything.

> But Debian unstable keeps getting lots of other bugs, so is often no
> alternative :)

Well, from security perspective I prefer unstable. Same applies to
"usability" perspective (I don't like outdated versions of certain
software). Again this is my personal opinion. I respect Debian Woody
policy but I don't support it. Better not to speak about this (flame-war
risk! :-)).

> If Debian isn't notified of security bugs, they can't fix them. Weird

Don't blame me. Your statement is easily refutable: "If Debian maintainers
don't answer to important mails (I know the email address was fine because
I previosly had contacted Sam using the same method; and I insisted trying
to re-contact) and Debian security team is unaware of public security
mailing-lists (or they answer to certain threads without reading the
original post :-?) it's not my fault". Please, don't start the war. I'm
only defending my position :)

> that you here claim unstable was free of these bugs, while above you
> claim Debian unstable _had_ these bugs at the time of your advisory. So,
> which one of the two is it? Or are there more issues involved than the
> ones detailed in RS-2004-1?

Please, read my adv with more attention. Let's quote from it:
* From "summary" part:
"A vulnerability has been discovered in SM..." ---> This is the NEW bug.
"As a side effect of my research I discovered that older known SM flaws were
still present in latest Debian stable (Woody) package. I will also discuss
them here (there is no need to issue another advisory only for that ;-)).
But _please note_ that if I don't explicitly mention it, I will always be
referring to the new (and recently discovered) bug." ---> I mention the
old bugs too and clearly referred to Woody.
* From "Affected versions":
"The (new) bug could be reproduced with latest version of SM (both stable
and devel branchs) (*). In particular:
- - 1.4.3 (CVS) (**)
- - 1.4.3 (RC1)
- - 1.5.0
- - 1.5.1 (CVS) (**)"

[1.5.0 was shipped in Debian Unstable so it is clear that the new bug
affects Debian unstable]

"  Older versions are also vulnerable (latest Debian packages [1.2.6-1.3 and
1.5.0-1] were also tested and confirmed to be buggy too)." --> So Debian
Woody is also confirmed to be vulnerable to the same bugs!

Where am I claiming "unstable was free of these bugs" ?

These comments was referred to the NEW bug as stated before ("But _please
note_ that if I don't explicitly mention it, I will always be referring to
the new (and recently discovered) bug."). Note also the "(new)" string
which  I added for the sake of clarity.

Moreover:
* ".: [ TECHNICAL ANALYSIS - 1st part: old SM flaws still living around us ]"
This refers to the old vulnerabilities present _only_ in Woody. Please,
recall the summary ("As a side effect of my research I discovered that
older known SM flaws were still present in latest Debian stable (Woody)
package").

* ".: [ TECHNICAL ANALYSIS - 2nd part: seeking a new vuln! ]"
This refers to the NEW bug (affecting both Woody and Unstable).

I hope this will clears things out.

> - Refrain from flamebait if you're not interested in a flame-war ;-)

Without harshness :-)

Regards,
-Román

Reply to:

Follow-Ups:
- Re: FWD: Squirrelmail XSS + SQL security bug?
  - From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>

References:
- FWD: Squirrelmail XSS + SQL security bug?
  - From: adam-debian-security@gmi.com
- Re: FWD: Squirrelmail XSS + SQL security bug?
  - From: Matt Zimmerman <mdz@debian.org>
- Re: FWD: Squirrelmail XSS + SQL security bug?
  - From: Adam Morley <adam-debian-security@gmi.com>
- Re: FWD: Squirrelmail XSS + SQL security bug?
  - From: Román Medina <roman@rs-labs.com>
- Re: FWD: Squirrelmail XSS + SQL security bug?
  - From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>

Prev by Date: Re: FWD: Squirrelmail XSS + SQL security bug?
Next by Date: Re: FWD: Squirrelmail XSS + SQL security bug?
Previous by thread: Re: FWD: Squirrelmail XSS + SQL security bug?
Next by thread: Re: FWD: Squirrelmail XSS + SQL security bug?
Index(es):
- Date
- Thread