The SquirrelMail team is happy to announce the release of version 1.4.17. The
most notable change is a security fix that prevents certain specially-crafted
hyperlinks within messages from executing cross-site scripting attacks. For
other details, see the ReleaseNotes file included in this release. We advise
all users of SquirrelMail software to upgrade.
The SquirrelMail team is happy to announce the release 1.4.16. The most
notable change is that cookies are now sent with the secure attribute set for
HTTPS-connections, meaning that they cannot leak to an HTTP-connection on the
same SquirrelMail installation. For details see the included ReleaseNotes. We
advise users that offer their SquirrelMail both over HTTP and HTTPS to
upgrade.
----------------------------
- Fix saving of Read Receipts to Sent folder.
- Converted Romanian (ro_RO) to UTF-8.
- Converted Slovak (sk_SK) to UTF-8.
- Converted Swedish (sv_SE) to UTF-8.
- Added support for Macedonian.
- Don't allow invalid plugin names in conf.pl --install-plugin.
- Fix warning in Printer Friendly due to missing include (#1849101).
- Let configtest.php use optional PEAR dynamic extension loading,
patch by Walter Huijbers (#1833123).
- Fix for IMAP servers that were having problems saving sent messages.
- Fix broken <style> tag parsing for some HTML messages, thanks
Roalt Zijlstra.
- Re-added support for Vietnamese.
- Fixed broken MDN functionality (send read confirmation).
- Converted Norwegian Bokm�l (nb_NO) to UTF-8.
- Converted traditional Chinese (zh_TW) to UTF-8.
- Avoid deprecation notices on get_magic_quotes_* functions.
- Improved Message-ID generation code.
- Added edit list, checkbox, radio group, multiple-select folder
list and multiple-select string list option widget types,
as well as support for the "trailing_text" widget attribute.
- Boolean option widgets are henceforth presented as checkboxes.
- Tidied up fortune plugin to be inline with specifications for plugins.
- Enhanced address book page: added 'Compose to' button, put labels
around address entries tied to checkboxes, improved column spacing,
added hook for plugins that can filter address book listings.
Complements RisuMail team (risumail.jp).
(pkgsrc notice: we were using the original, known-to-be-good 1.4.12
distfile so all your servers should be fine)
Due to the package compromise of 1.4.11, and 1.4.12, we are forced to
release 1.4.13 to ensure no confusions. While initial review didn't
uncover a need for concern, several proof of concepts show that the
package alterations introduce a high risk security issue, allowing
remote inclusion of files. These changes would allow a remote user the
ability to execute exploit code on a victim machine, without any user
interaction on the victim's server. This could grant the attacker the
ability to deploy further code on the victim's server.
We *STRONGLY* advise all users of 1.4.11, and 1.4.12 upgrade
immediately.
NOTE: includes a critical bug fix in the attachment handling
- Enabled user selection of address format when adding from address
book during message composition.
- Fixed issue with adding attachments in PHP 4.x environments (#1805471).
- Backport size setting on "newmail" popup window.
- Added a "short_open_tag" configuration test.
- Undefined notice in error message box when no default folder prefix is set.
- Undefined index error when downloading. Possibly caused by using tabs and
opening multiple mailboxes.
- PAGE_NAME might not be defined in all plugins, which might cause a
"not defined" error on session timeouts.
- Fixed outgoing messages to allow addresses such as "0@..." or "000@...",
etc. (#1818398).
- Fixed issue with in-reply-to and reference headers not being retained on
reply (#1810659).
- Revived logout_error hook (#1800015).
- Allow custom session handlers to work correctly (and be defined at the
application level with SquirrelMail).
- Fix off-by-one in bodystructure parsing triggered by servers sending
a body location part (e.g. Sun Java System Messaging Server). Thanks
John Callahan (#1808382).
- Invalid initialization of To: header (#1772893).
- Includes cleanup in include/validate.php.
- Cleanup in multiple files to remove unneeded includes.
- Added sort by size (#812233 and #159997, plus multiple list requests).
Patch provided by Christopher E. Brown.
- Fix bug in sitewide SMTP settings still using authenticated user, rather
than configured settings (#1835942).
- Fixed mailto: functionality.
- Added mailto: link handling when viewing messages.
- Handle PHP's insistence on setting the value to 'deleted' for destroyed
sessions
Version 1.4.11 - 29 September 2007
----------------------------------
- Minimum PHP requirement raised from 4.0.6 to 4.1.0.
SquirrelMail has been broken for a while with 4.0.x without anyone
noticing, this move merely reflects reality.
- Fix broken set_url_var function in functions/html.php (#1729814).
- Fix config.pl not detecting auth support correctly (#1727033).
- Fix display of X-Priority in message view.
- Work around mailers sending broken Date headers with no space after the
first comma.
- Let POP3 class properly cope with lines starting with a '.'.
- Some HTML validation cleanups.
- Invalid year in sent_subfolders plugin (#1607380).
- Always treat Content-Type case-insensitively (#1732092).
- Fix typo: html/plain should be text/html.
- Fix en/decode header swith in MDN (#1694687).
- Fix compatibility with Windows path in administrator plugin (#1740469).
- Fix disabling password encryption in mail_fetch (#1738001).
- Fix busy loop and notice when two literals in IMAP fetch (#1739433).
- Backported code for site wide SMTP authentication (#1531889).
- Fixed issue with compose session not being cleaned after message is
saved or sent.
- Added ability to detect HTTP_X_FORWARDED_PROTO in get_location(),
thanks to Daniel Watts
- Fix test for signout.php in the logged in check in is_logged_in() so it
cannot be circumvented by manipulating the URL. External plugins might
rely on this function guaranteeing that the user is logged in.
- Use attachment_dir only at the point where we're actually
reading from / writing to the files, do not carry it around
in the object. This makes us safer in the event the object
is somehow exposed to the outside world.
- Better support mailboxes named 'None' (#1598890).
- Sort readdir() output in conf.pl (#1755886).
- Fix message cache in printer friendly, thanks Tomas Kuliavas.
- Made the webmail_top hook work again for plugins that want to change
the URI of the "right" frame; plugins have to change the value of the
global variable $right_frame_url
- Fix issue in darkness theme with extra closing bracket.
- No longer store all message composition sessions in the PHP session,
since it was not made use of and in rare cases, made sessions too big.
- Composition restoration functionality now correctly restores attachments.
- Added smtp_auth hook.
- Change default Selection List Style to Indented.
- Added "preselected" query argument to mailbox list.
- Added mailbox_display_buttons hook.
- Removed "Include CCs when Forwarding Messages", which had no functionality
whatsoever.
- Make the Message Details plugin actually show the correct entity when
viewing details of attached messages.
Shortly after the release of SquirrelMail 1.4.10, a regression in the compose
form was discovered. Unfortunately the limited disclosure of security patches
does not allow for public testing, so this regression went unnoticed. We're
sorry for the inconvenience.
This version, 1.4.10 is a maintenance release, addressing
the following problems since 1.4.9a:
- Some security fixes (see below)
- Small enhancements
- A collection of bugfixes and stability enhancements
(see ChangeLog for a full list)
Security issues
===============
This release addresses security issues found since the release of 1.4.9a:
There's an ongoing battle to further secure the HTML filter against malicious
HTML mail and the browsers that accept almost any malformed piece of HTML.
This release contains fixes for the following:
- HTML attachments containing "data:" URLs;
- Internet Explorer in various versions accepts many permutations of HTML
and JavaScript in many charsets. We now properly canonicalize the incoming
HTML to us-ascii before applying further filters. IE only.
- Request forgery through images. It was possible to include "images" in
HTML mails which were in fact GET requests for the compose.php page sending
mail. These images are now properly detected, and the compose form will only
send mail through a POST request.
Thanks to Mikhail Markin, Tomas Kuliavas and Michael Jordon for reporting
(parts of) these issues and working with us to get them resolved.
These are known as CVE-2007-1262. Further details on SquirrelMail
vulnerabilities can be found at the following address:
http://www.squirrelmail.org/security/
ChangLog:
Version 1.4.9a - 3 December 2006
--------------------------------
- Security: Multiple IE cross site scripting issues related to the
widely acceptation of the word expression and url by IE.
- Security: Removing @import when sanitizing html mail.
Version 1.4.9 - 2 December 2006
-------------------------------
- Drop obsolete script plugins/make_archive.pl.
- Fixed Google translate form in translate plugin. Added new language
pairs.
- Added XMAGICTRASH extension tests in configtest utility. Removed code
that handled 'inbox.trash' as special folder in courier (#1354393).
- Allowed moving folders to trash in courier.
- Fix misspelled constant PREG_SPLIT_NI_EMPTY in sqimap_get_message
(#1543573).
- Provide View Unsafe Images link on viewing a text/html attachment.
- Fix variable typo in folders_create.php (#1545316).
- Added Courier IMAP OUTBOX check to configtest utility.
- If mailbox name starts with slash or contains ../, error message is
generated. Safety check for insecure default UW IMAP setup (#1557078).
- Ignore message copy errors when messages are deleted. Allows to delete
messages when quota is exceeded (#614887, #646386, #1446026).
- Fixed unintended literal fetching (#1562271).
- Added global file based address book listing controls. Added line
length configuration option for local_file address book backend
(#1181561). Added address book data integrity checks in local_file
address book backend. Fixed eregi and object notices in local_file
and database address book backends. Added additional address book
field support.
- Fixed variable corruption in configtest utility.
- Checked if configuration file is readable in configuration utility
(#1568355).
- Special mailboxes marked in special_mailbox hook are no longer listed
in folder delete, rename and subscription options.
- Translate plugin: prevent PHP notice when viewing empty message.
- Add CEST and MEST (non-standard) timezone codes for +0200.
- Add <label> to From field in message list.
- Add support for parsing SpamAssassin's X-Spam-Status header (#1589520).
- Fix in bodystructure parser code related to strings ending with an
escape character.
- Added "attachment */*" hook
- Added third parameter $logout_link to logout_error hook that allows
plugin control over login page URI displayed on login error page.
- Security: close cross site scripting vulnerability in draft, compose
and mailto functionality [CVE-2006-6142].
- Security: work around an issue in Internet Explorer that would guess
the mime type of a file based on contents, not Content-Type header.
- Fixed URL for Read Receipts being incorrect in some cases (#1177518).
- Fixed endless loop when trying to parse "From: )(" (#1517867).
- Using is_file() instead of file_exists() in fortune plugin (#1499134).
- Add manual page for conf.pl under contrib.
- Don't allow selecting INBOX as Sent, Draft or Trash folder (#1242346).
This release is very important, and we strongly advise everybody to
update to the latest release.
Security Update
===============
This version contains a number of security updates that were brought
to our attention via a number of sources.
- In webmail.php, the right_frame parameter was not properly sanitized
to deal with very lenient browsers, which allowed for cross site
scripting or frame replacing. [CVE-2006-0188]
- In the MagicHTML function, some very obscure constructs were
discovered to be exploitable: 'u\rl' was interpreted as 'url' (privacy
concern), and comments could be inside keywords (allows for cross site
scripting). Both only affect Internet Explorer users. Found by Martijn
Brinkers and Scott Hughes. [CVE-2006-0195]
- The function sqimap_mailbox_select did not strip newlines from the
mailbox parameter, and thereby allowed for IMAP command injection.
Found by Vicente Aguilera. [CVE-2006-0377]
We are pleased to announce the release of SquirrelMail 1.4.4. This
release is a strongly recommended upgrade due to a number of security
issues that have been resolved since 1.4.3a.
About This Release
------------------
This release contains a number of bug fixes, and security updates. The
list is very long, as this version has been hiding in the trees for a
while. For a full list of the changes, you can see the changelog here:
http://www.squirrelmail.org/changelog.php
A general summary of updates includes a few cross site scripting issues,
and two possible file inclusion issue (one remote, one local). Better
IMAP handling introduced for certain IMAP servers that advertise
LOGINDISABLED, folder handling, and a number of locales issues.
Locales
-------
Shortly after the release of 1.4.3, the locales were broken out of the
main branch into their own branch. This makes the SquirrelMail package
itself a lot smaller, along with allowing administrators to download just
the packages they need. Details on this change can be found in the
ReleaseNotes and the INSTALL files.
Main Changes:
lots of bug fixes, including some critical XSS (cross site scripting) issues.
Some new translations.
Added new preference that determines cursor focus when replying.
Display total number of new messages in newmail-plugin popup window.
Ported charset decoding support functions from SM head. Increases
number of readable charsets.
Fix SquirrelMail to work with PHP5.
Disabled Quick-email-reporting feature in spamcop plugin. (#809452). Admin
can enable it by setting variable in plugins/spamcop/setup.php.
Replaced obsolete 2mbit.com RBL with ahbl.org RBL (#829887).
Added new reply citation to include date and author.
* A complete rewrite of the way we send mail (Deliver-class),
and of the way we parse mail (MIME-bodystructure parsing).
This makes SquirrelMail more reliable and more efficient
at the same time!
* Support for IMAP UID which makes SquirrelMail more reliable.
* Optimizations to code and the number of IMAP calls; SquirrelMail
is now a very scalable webmail solution.
* Support for a wider range of authentication mechanisms.
* Lots of bugfixes, some new features and a couple of UI-tweaks.
This release incorporates some security fixes in relation to XSS
(cross site scripting) code which could allow malicious extraction of
information from the client browser. There is also a fix for the
SquirrelMail 1.2.10 "Double login" problem. This was related to a
session issue, and has been fixed.
* HTML cleanup on search and addressbook pages
* Fixes for multiple XXS exploits on the addressbook, search, help, and
options pages
* more accurate error messages on failed login
* HTML table cleanup when viewing attachments
* fix for X-MSMail-Priority conflict bug #600369
* fix for multiple email addresses on the same message line
* fix for "." on a single line in a text attachment bug #598750
* Core code and plugins converted to work with register_globals Off
* fix for reply quoting on resumed drafts
* fix for fgets errors in file_prefs bug #578834
* fix for date format on calendar day view bug #582919
* fix for org. logo width/height values bug #572807
* fix for reading/writing ldap prefs with conf.pl bug #57595
* fix for 'fixed' font style in css bug #571463
* fix for attachments in safe mode bug #585340
* fix for forward attachment bug #585836
* fix for php warning when saving drafts bug #585012
* returned generic_header hook to page_header.php bug #554278
* fix for syntax error in darkness theme bug #576066
* fix for some attachments not being displayed bug #577052
* fix for matching uppercase headers on mailbox display bug #584082
* fix for folder names containing regex characters bug #574889, #578156
* fix for endless loop on raw binary data in email bug #547662
- Bug fixes
- Added POP3 Before SMTP option
- Added a server-side thread sorting option per folder
- Added a server-side sorting global option
- Compose in new window size can be set in Display prefs
- PostgreSQL is now supported for database backed use
- Added user option to sort messages by internal date
- Added option to auto-append sig before reply/forward text
- Filters can be applied to only new mail
- Filtering now happens on folder list refresh
(no more warnings that fills in apache error_log).
Changes since 1.2.4:
- Multiple mailbox list calls cached.
- Added 'View unsafe images' link to the bottom of pages which contain
unsafe images.
- Fixed 'too many close table tags' and various other issues
which meant SM output didn't always validate as clean HTML.
- Added the ability to add special folders through plugins.
- Added an Always compose in a pop-up window option.
- Search page update with ability to save searches and search
all folders at once.
- Made searching on multiple criteria possible, with thanks to Jason Munro
- Fixed 'list all' in addressbook (#506624, thanks to Kurt Yoder)
- Fixed small bugs in db_prefs
- Allowed SquirrelMail to work from within a frame, eg. not using _top
this is configureable. (thanks to Simon Dick)
- Added options to conf.pl to enable automated plugin installation:
./conf.pl --install-plugin <pluginname>. This allows plugins to be
distributed in packages. Conf.pl now also reports when saving fails.
- Attachment hooks now also allow specification of generic rules like
text/* which will be used when no specific rule is available.
- conf.pl can now configure database backed address books and
preferences.
- Version 0.3.7 of SquirrelSpell. Fixes a potential privacy
vulnerability (symlink attack), plus introduces formatting fixes
and javadoc-style comments.
- Bugfix in mailfetch reported by Mateusz Mazur
- Administrator plugin. A web based conf.pl replacement.
- Removed GLOBALS from conf.pl
- HTML messages optimization.
- Added support for requesting read receipts (MDN) and delivery receipts.
- Added the ability to stop users changing their names and email addresses.
- Added signature into multiple identities (Stefan Meier <Stefan.Meier@cimsource.com>)
- Updated user help files to reflect UI chanegs and added functionality.
Changes:
Version 1.2.4 -- 25 January 2002
--------------------------------
- Fixes a nasty remote arbitrary command execution vulnerability
in the spellchecker plugin.
Version 1.2.3 -- 21 January 2002
--------------------------------
- Fixed focus system on pages that contain forms.
- Fixed IMAP code to send different command identifiers as per
section 2.2.1 of RFC 2060.
- Fixed 'sticky priority' so that replies are set to the same
priority as the original message.
- Fixed Printer Friendly to print HTML messages.
- Fixed multiple receivers in Sent mailbox (#500910).
- Disabled prefs caching under PHP 4.1
- Added "Search Memory". Enabling to store up to
9 predefined searchs.
- Increased security in html message.
- Added the possibility to specify system-defined css in order to
allow users to change the font family and size of SM. Making possible to
make it bigger or smaller depending on their screen size. Sysops may add
or remove these system-defined css located in themes/css/
- Fixed a bug appearing on some apache virtual hosts
- Fixed javascript error (#505255)
- Fixed the db_prefs so they work again (#499609, thanks to Simon Dick)
* Collapsible Folders - The folder list can be collapsed at any
parent folder. This makes folder lists with large
hierarchical structures much easier to manage and navigate.
* The Paginator! - This enables quick access to any page in the
message list by simply choosing the page number to view
rather than tediously clicking "next" 50 times.
* Hundreds of UI tweaks - The user interface has been given a
face-lift. The HTML has been largely overhauled, and while
it still has the same general feel, it has been made more
intuitive.
* Drafts - It is now possible to compose a message and save it to
be sent at a later date with the drafts option.
* New Options Page - The options page has been completely
rewritten for several reasons, the main of which was to
allow seamless integration of plugin options and to
provide uniformity throughout the entire section.
* Multiple Identities - It is now possible to create different
identities (home, work, school) that can be chosen upon
sending. Each identity can have its own email address,
full name, and signature.
* Reply Citations - Different types of citations are now possible
when replying to messages.
* Better Attachment Handling - The plugin, attachment_common, has
been fully integrated into the core of SquirrelMail. This
allows inline viewing of several different types of
attachments.
* Integration of Several Plugins - The following plugins have been
put directly into the core. As a result, be sure not to
install these as plugins, as the result may be (at best)
unpredictable: attachment_common, paginator, priority,
printer_friendly, sqclock, xmailer.
* Improved support for newer versions of PHP. Note that you may
have trouble if you are running PHP version 4.0.100
(commonly distributed with Debian 3.0).
* Ability to mark messages as read and unread from the message listing.
* Alternating Colors - The message list now alternates row colors
by default. This presents a much cleaner and easier to
read interface to the user.
