Fixed minor vulnerability in Mail Fetch plugin [CVE-2010-1637/TEHTRI-SA-2010-009]

doc/ChangeLog

@@ -342,6 +342,7 @@ Version 1.5.2 - SVN
   - Fix typo in SpamCop plugin.
   - Reduced default time security tokens stay valid from 30 days to 2 days
     (reduces chances of session data growing too large)
+  - Fixed minor vulnerability in Mail Fetch plugin [CVE-2010-1637/TEHTRI-SA-2010-009]
 
 Version 1.5.1 (branched on 2006-02-12)
 --------------------------------------

plugins/mail_fetch/README

@@ -75,6 +75,32 @@ the "Encrypt Password" checkbox in the option page is not checked. If you
 reenter account's passwords the system will switch to encrypted mode.
 
 
+Security
+========
+
+By default, the user is not allowed to enter a non-standard POP3 port
+number when configuring an external server with this plugin.  This prevents
+the use of this plugin as a port scanner against other servers.  However,
+if you need to allow users to access a POP3 service running on a non-
+standard port, you may create a "config.php" file by copying "config_example.php"
+and editing the list of allowable port numbers therein.  If "ALL" is added
+to the list of allowable port numbers, then there will be no restriction
+on port numbers whatsoever.  Be aware that although this may not represent
+any security threat to servers elsewhere on the Internet that does not
+already exist (other port scanners are freely available), if your server
+resides on a network behind a firewall, this could allow a malicious user
+to scan the servers and services behind your firewall that they'd normally
+not have access to.
+
+The user will also not be allowed to enter server addresses starting
+with "10.", "192.", "127." and "localhost" by default.  This prevents users
+from being able to scan an internal network for the presence of other servers
+they are not allowed to access.  If other server addresses should be banned,
+or this list is too restrictive, you may create a "config.php" file by copying
+"config_example.php" and then edit the list of blocked server addresses
+therein.
+
+
 Future Work
 ===========
 

plugins/mail_fetch/config_default.php

@@ -10,9 +10,58 @@
  * @subpackage mail_fetch
  */
 
+
 /**
- * Controls use of unsubscribed folders in plugin. Change this to true if it is
- * allowed to store fetched messages in unsubscribed folders.
+ * Controls use of unsubscribed folders in plugin. Change this to true
+ * and save this file as "config.php" if it is allowed to store
+ * fetched messages in unsubscribed folders.
  */
 $mail_fetch_allow_unsubscribed = false;
 
+
+
+// This is the list of POP3 ports the user may specify.
+//
+// Usually, this does not need to be used at all, and
+// ports 110 and 995 will be the only available ports.
+//
+// If users are allowed to access POP3 that is served
+// on a non-standard port, you'll need to add that port
+// to this list and make sure this file is saved as
+// "config.php" in the mail_fetch plugin directory
+//
+// If you do not wish to restrict the allowable port
+// numbers at all, include "ALL" in this list.
+//
+$mail_fetch_allowable_ports = array(110, 995);
+
+
+
+// This is a pattern match that allows you to block
+// access to certain server addresses.  This prevents
+// a user from attempting to try to specify certain
+// servers when adding a POP3 address.
+//
+// By default, this plugin will block POP3 server
+// addresses starting with "10.", "192.", "127." and
+// "localhost" (the pattern shown below).
+//
+// If you want to block other addresses, you'll need
+// to add them to this pattern and make sure that this
+// file is saved as "config.php" in the mail_fetch
+// plugin diretory
+//
+// If you do not wish to restrict the allowable server
+// addresses at all, set this value to be "UNRESTRICTED"
+//
+// This is a full regular expression pattern
+//
+// Allow anything:
+//
+// $mail_fetch_block_server_pattern = 'UNRESTRICTED';
+//
+// Default pattern:
+//
+$mail_fetch_block_server_pattern = '/(^10\.)|(^192\.)|(^127\.)|(^localhost)/';
+
+

plugins/mail_fetch/functions.php

@@ -22,7 +22,8 @@ include_once (SM_PATH . 'plugins/mail_fetch/constants.php');
 include_once (SM_PATH . 'plugins/mail_fetch/class.mail_fetch.php');
 
 /** declare plugin globals */
-global $mail_fetch_allow_unsubscribed;
+global $mail_fetch_allow_unsubscribed, $mail_fetch_allowable_ports,
+       $mail_fetch_block_server_pattern;
 
 /**
   * Add link to menu at top of content pane
@@ -417,3 +418,68 @@ function mail_fetch_check_noselect($imap_stream,$imap_folder) {
     }
     return false;
 }
+
+/**
+  * Validate a requested POP3 port number
+  *
+  * Allowable port numbers are configured in config.php
+  * (see config_example.php for an example and more
+  * rules about how the list of allowable port numbers
+  * can be specified)
+  *
+  * @param int $requested_port The port number given by the user
+  *
+  * @return string An error string is returned if the port
+  *                number is not allowable, otherwise an
+  *                empty string is returned.
+  *
+  */
+function validate_mail_fetch_port_number($requested_port) {
+    global $mail_fetch_allowable_ports;
+    if (empty($mail_fetch_allowable_ports))
+        $mail_fetch_allowable_ports = array(110, 995);
+
+    if (in_array('ALL', $mail_fetch_allowable_ports))
+        return '';
+
+    if (!in_array($requested_port, $mail_fetch_allowable_ports)) {
+        sq_change_text_domain('mail_fetch');
+        $error = _("Sorry, that port number is not allowed");
+        sq_change_text_domain('squirrelmail');
+        return $error;
+    }
+
+    return '';
+}
+
+/**
+  * Validate a requested POP3 server address
+  *
+  * Blocked server addresses are configured in config.php
+  * (see config_example.php for more details)
+  *
+  * @param int $requested_address The server address given by the user
+  *
+  * @return string An error string is returned if the server
+  *                address is not allowable, otherwise an
+  *                empty string is returned.
+  *
+  */
+function validate_mail_fetch_server_address($requested_address) {
+    global $mail_fetch_block_server_pattern;
+    if (empty($mail_fetch_block_server_pattern))
+        $mail_fetch_block_server_pattern = '/(^10\.)|(^192\.)|(^127\.)|(^localhost)/';
+
+    if ($mail_fetch_block_server_pattern == 'UNRESTRICTED')
+        return '';
+
+    if (preg_match($mail_fetch_block_server_pattern, $requested_address)) {
+        sq_change_text_domain('mail_fetch');
+        $error = _("Sorry, that server address is not allowed");
+        sq_change_text_domain('squirrelmail');
+        return $error;
+    }
+
+    return '';
+}
+

plugins/mail_fetch/options.php

@@ -56,6 +56,8 @@ sqgetGlobalVar('mf_lmos',          $mf_lmos,          SQ_POST);
 sqgetGlobalVar('mf_auth',          $mf_auth,          SQ_POST);
 sqgetGlobalVar('mf_type',          $mf_type,          SQ_POST);
 sqgetGlobalVar('submit_mailfetch', $submit_mailfetch, SQ_POST);
+$mf_port = trim($mf_port);
+$mf_server = trim($mf_server);
 
 
 /* end globals */
@@ -64,6 +66,19 @@ displayPageHeader( $color );
 
 switch( $mf_action ) {
  case 'add':
+
+     $mf_action = 'config';
+
+     // restrict port number if necessary
+     //
+     $message = validate_mail_fetch_port_number($mf_port);
+     if (!empty($message)) break;
+
+     // restrict server address if necessary
+     //
+     $message = validate_mail_fetch_server_address($mf_server);
+     if (!empty($message)) break;
+
      if ($mf_sn<1) $mf_sn=0;
      if (!isset($mf_server)) return;
      setPref($data_dir,$username,"mailfetch_server_$mf_sn", (isset($mf_server)?$mf_server:""));
@@ -88,10 +103,28 @@ switch( $mf_action ) {
      setPref($data_dir,$username,"mailfetch_type_$mf_sn",(isset($mf_type)?$mf_type:MAIL_FETCH_USE_PLAIN));
      $mf_sn++;
      setPref($data_dir,$username,'mailfetch_server_number', $mf_sn);
-     $mf_action = 'config';
      break;
+
+ // modify a server
+ //
  case 'confirm_modify':
-     //modify    a server
+
+     // restrict port number if necessary
+     //
+     $message = validate_mail_fetch_port_number($mf_port);
+     if (!empty($message)) {
+         $mf_action = 'Modify';
+         break;
+     }
+
+     // restrict server address if necessary
+     //
+     $message = validate_mail_fetch_server_address($mf_server);
+     if (!empty($message)) {
+         $mf_action = 'Modify';
+         break;
+     }
+
      if (!isset($mf_server)) return;
      setPref($data_dir,$username,"mailfetch_server_$mf_sn", (isset($mf_server)?$mf_server:""));
      setPref($data_dir,$username,"mailfetch_port_$mf_sn", (isset($mf_port)?$mf_port:110));
@@ -209,6 +242,14 @@ echo '<br /><form method="post" action="'.$PHP_SELF.'">' .
                   ) ,
               'center', '', 'width="95%"' );
 
+// display error or other messages if necessary
+//
+if (!empty($message)) {
+    echo html_tag( 'table', '', 'center', '', 'width="70%" cellpadding="5" cellspacing="1"' ) .
+         html_tag( 'tr',
+         html_tag( 'td', '<b>' . $message . '</b>', 'center', $color[2] ));
+}
+
 switch( $mf_action ) {
  case 'config':
      echo html_tag( 'table', '', 'center', '', 'width="70%" cellpadding="5" cellspacing="1"' ) .