From c81a4c421b03c456e0e7c4e244885d11397dc0ba Mon Sep 17 00:00:00 2001 From: Ilia Ross Date: Wed, 9 Aug 2023 17:12:16 +0300 Subject: [PATCH 1/4] Fix to address XSS issues `#1` --- mailbox/list_folders.cgi | 7 ++++++- mailbox/list_ifolders.cgi | 4 ++++ mailbox/view_mail.cgi | 6 +++--- mailbox/webmin_menu.pl | 2 +- 4 files changed, 14 insertions(+), 5 deletions(-) diff --git a/mailbox/list_folders.cgi b/mailbox/list_folders.cgi index d891ee7e..0e41762e 100755 --- a/mailbox/list_folders.cgi +++ b/mailbox/list_folders.cgi @@ -28,18 +28,23 @@ print &ui_hidden_end("instr"); print &ui_form_start("delete_folders.cgi", "post"); my @tds = ( "width=5" ); my @folders = &list_folders_sorted(); +foreach my $folder (@folders) { + $folder->{'file'} = &html_escape($folder->{'file'}) + if ($folder->{'file'}); + } print &ui_columns_start([ "", $text{'folders_name'}, $text{'folders_path'}, $text{'folders_type'}, $text{'folders_size'}, $text{'folders_action'} ], undef, 0, \@tds); + # var_dump(\@folders); foreach my $f (@folders) { my @cols; my $deletable = 0; if ($f->{'inbox'} || $f->{'drafts'} || $f->{'spam'}) { # Inbox, drafs or spam folder which cannot be edited - push(@cols, $f->{'name'}); + push(@cols, &html_escape($f->{'name'})); } elsif ($f->{'type'} == 2) { # Link for editing POP3 folder diff --git a/mailbox/list_ifolders.cgi b/mailbox/list_ifolders.cgi index 807e398c..9f3e92b9 100755 --- a/mailbox/list_ifolders.cgi +++ b/mailbox/list_ifolders.cgi @@ -12,6 +12,10 @@ require './mailbox-lib.pl'; print &ui_form_start("delete_folders.cgi", "post"); my @tds = ( "width=5" ); my @folders = &list_folders_sorted(); +foreach my $folder (@folders) { + $folder->{'file'} = &html_escape($folder->{'file'}) + if ($folder->{'file'}); + } my @adders = ( "$text{'folders_addimap'}", "$text{'folders_addcomp'}", "$text{'folders_addvirt'}" ); diff --git a/mailbox/view_mail.cgi b/mailbox/view_mail.cgi index 819e71bd..35dd3d61 100755 --- a/mailbox/view_mail.cgi +++ b/mailbox/view_mail.cgi @@ -521,15 +521,15 @@ if (!@sub) { if ($mail->{'sortidx'} != 0) { my $mailprv = $beside[$prv]; $left = "view_mail.cgi?id=".&urlize($mailprv->{'id'}). - "&folder=$in{'folder'}&start=$in{'start'}"; + "&folder=@{[&urlize($in{'folder'})]}&start=$in{'start'}"; } if ($mail->{'sortidx'} < $c-1) { my $mailnxt = $beside[$nxt]; $right = "view_mail.cgi?id=".&urlize($mailnxt->{'id'}). - "&folder=$in{'folder'}&start=$in{'start'}"; + "&folder=@{[&urlize($in{'folder'})]}&start=$in{'start'}"; } print &ui_page_flipper(&text('view_desc', $mail->{'sortidx'}+1, - $folder->{'name'}), + &html_escape($folder->{'name'})), undef, undef, $left, $right); } else { diff --git a/mailbox/webmin_menu.pl b/mailbox/webmin_menu.pl index d1693106..2a1fd9d0 100644 --- a/mailbox/webmin_menu.pl +++ b/mailbox/webmin_menu.pl @@ -51,7 +51,7 @@ sub list_webmin_menu my $item = { 'type' => 'item', 'id' => 'folder_'.$fid, 'folder' => 1, - 'desc' => $f->{'name'}, + 'desc' => &html_escape($f->{'name'}), 'link' => '/'.$module_name. '/index.cgi?id='.&urlize($fid) }; if ($f->{'type'} == 6 && From 84b53e6d6288b70ccfa7620b0b2a41ef33766bcc Mon Sep 17 00:00:00 2001 From: Ilia Ross Date: Wed, 9 Aug 2023 18:35:31 +0300 Subject: [PATCH 2/4] Fix to address XSS issues `#2` --- ssh/list_auths.cgi | 2 +- ssh/list_hosts.cgi | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ssh/list_auths.cgi b/ssh/list_auths.cgi index e9c6066a..7bdfbef9 100755 --- a/ssh/list_auths.cgi +++ b/ssh/list_auths.cgi @@ -17,7 +17,7 @@ if (@auths) { foreach $a (@auths) { print &ui_columns_row([ "". - "$a->{'name'}", + "@{[&html_escape($a->{'name'})]}", "".substr($a->{'key'}, 0, 40)." ... ". substr($a->{'key'}, -40)."", ]); diff --git a/ssh/list_hosts.cgi b/ssh/list_hosts.cgi index 9de07948..f17779ab 100755 --- a/ssh/list_hosts.cgi +++ b/ssh/list_hosts.cgi @@ -11,7 +11,7 @@ foreach $h (@$hconf) { if (lc($h->{'name'}) eq 'host') { push(@links, "edit_host.cgi?idx=$i"); push(@icons, "images/host.gif"); - push(@titles, $h->{'values'}->[0] eq '*' ? "$text{'hosts_all'}" : $h->{'values'}->[0]); + push(@titles, $h->{'values'}->[0] eq '*' ? "$text{'hosts_all'}" : &html_escape($h->{'values'}->[0])); } $i++; } From 19987242efdf0b8d9d38240246dc77afa58579ae Mon Sep 17 00:00:00 2001 From: Ilia Ross Date: Wed, 9 Aug 2023 19:01:11 +0300 Subject: [PATCH 3/4] Fix index --- index.cgi | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/index.cgi b/index.cgi index fccbf928..7ed56b0b 100755 --- a/index.cgi +++ b/index.cgi @@ -62,10 +62,11 @@ elsif ($gconfig{"notabs_${base_remote_user}"} == 2 || if ($pos % $cols == 0) { print "\n"; } print "\n"; local $idx = $m->{'index_link'}; - print "\n"; + print "@{[&html_escape($m->{'desc'})]}\n"; if ($pos % $cols == $cols - 1) { print "\n"; } $pos++; } @@ -128,7 +129,7 @@ else { print "\n"; print "\n"; + "@{[&html_escape($t)]} \n"; print "\n"; } @@ -147,10 +148,11 @@ else { if ($pos % $cols == 0) { print "\n"; } print "
{'dir'}/$idx>", + my $alink = &urlize("$gconfig{'webprefix'}/$m->{'dir'}/$idx"); + print "
", "{'dir'}/images/icon.gif border=0 ", "width=48 height=48>
\n"; - print "{'dir'}/$idx>$m->{'desc'}
", $usercol ? "
" : "\"\"","		 ", - "$t ", $usercol ? "
" : "\"\"","
\n"; - print "\n"; + print "@{[&html_escape($m->{'desc'})]}\n"; if ($pos++ % $cols == $cols - 1) { print "\n"; } } while($pos++ % $cols) { From d6d23c8f293abab101c0fe113c421b59b2a8ca34 Mon Sep 17 00:00:00 2001 From: Ilia Ross Date: Tue, 15 Aug 2023 19:09:43 +0300 Subject: [PATCH 4/4] Fix to consider drafts --- mailbox/reply_mail.cgi | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/mailbox/reply_mail.cgi b/mailbox/reply_mail.cgi index 707dcfae..ec655d27 100755 --- a/mailbox/reply_mail.cgi +++ b/mailbox/reply_mail.cgi @@ -809,8 +809,9 @@ print &ui_table_start($text{'reply_body'}, "width=100%", 2, undef, # Process email quote my $iframe_quote; $iframe_quote = &iframe_quote($quote) - if (!$in{'new'}); - + if (!$in{'new'} && !$in{'enew'}); +my $draft; +$draft = $quote if ($in{'enew'}); if ($html_edit) { # Get HTML editor and replies @@ -832,7 +833,7 @@ if ($html_edit) { $sig = "

$sig

" if ($sig); print &ui_table_row(undef, - &ui_textarea("body", $sig, 16, 80, undef, 0, + &ui_textarea("body", $draft || $sig, 16, 80, undef, 0, "style='display: none' id=body data-html-mode='$userconfig{'html_edit_mode'}'"). $html_editor, 2); } @@ -842,7 +843,7 @@ else { $wm =~ s/^wrap=//g; my $wcols = $userconfig{'wrap_compose'}; print &ui_table_row(undef, - &ui_textarea("body", "\n\n$sig\n\n$quote", 16, + &ui_textarea("body", "\n".$draft || "\n\n$sig\n\n$quote", 16, $wcols || 80, $wcols ? "hard" : "", 0,
{'dir'}/>", + my $mlink = &urlize("$gconfig{'webprefix'}/$m->{'dir'}/"); + print "
", "{'dir'}/images/icon.gif alt=\"\" border=0>", "
\n"; - print "{'dir'}/>$m->{'desc'}