reviewing random seeding

Hey all,

I've reviewed the seeding of the random number generator we do within
SquirrelMail and have found the following points:

1) The mail_fetch function uses not so secure seeding of srand().

However, the encryption used there is advertised as insecure anyway. I
wonder whether we should not just remove that feature altogether.
Trivially cracked encryption can be worse than no encryption because the
effect is the same for an attacker but it may create some sense of
security. What value does the function add if it's trivially cracked?

2) php_combined_lcg() in global.php seeds the random number generator in a
not so secure fashion.

I believe we should just rip out this seeding and replace it with a call
to sq_mt_randomize() instead so we have this code only in one place.

3) The behaviour of sq_mt_randomize() itself needs to be reviewed.

We currently re-seed it with several unpredictable values. We need to find
out whether re-seeding it actually adds randomness or just 'resets' the
thing so only the last one is useful.

PHP doesn't require seeding for versions 4.2 and up, but the PHP
implementation is reportedly limited in randomness unfortunately. The
newest suhosin patch is supposed to address that.

cheers,

Image extension issue in mime.php

All,

  I was looking at an HTML email today that had an image URI that was
an .asp file.  SM blocked it, even when I clicked to view unsafe
images.... and that's because of the .asp file extension.  SM replaces
all images in HTML view with a blank image unless they are simple
image files with .jpg, .gif, .jpeg, .xjpeg, .jpe, .bmp, .png, or .xbm
extensions.  In today's world, I think there are probably a lot of
images being served dynamically, with URIs that have PHP, JSP, ASP or
some other file extension.  So, in a lot of cases, these should be
allowed and are not necessarily threatening or ill-intentioned.

  Can someone explain the rationale of keeping the list more
restricted?  What can a malicious image URI do if we open the list up
to such file extensions?  Really, if an attacker wanted to do
something here, they could easily circumvent this restriction by
putting a URI with a "valid" (say .png) extension that was really a
php file that is dynamically executed on the target server.  So what
does SM *GAIN* by keeping this list of known image extensions?  (What
we *LOSE* is proper display of many valid HTML mails for our users.)

  My feeling is that this should be addressed by either removing the
restriction list completely, adding .asp, .php, .jsp, and any other
common types, or putting a new configuration value in the config file
for admins who would like to do this themselves.

Thoughts please?

 - Paul

Bug in digest_md5_parse_challenge

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel <at> lists.sourceforge.net
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel

Shared Calendars for 1.5 SVN

Hello,

I'm trying to use the shared calendars plugin on the current SVN 1.5 
version of squirrelmail, the one that is avialable at the squirrelmail 
plugin page (2.0.1-1.4.0) does not work with my version of squirrelmail.

I was porting the plugin to the new structure but i found about a new 
beta version that works with 1.5; i prefer to contribute testing the 
working version than to duplicate the work of porting it to the new 
squirrelmail version.

Can somebody tell me where can i download it?

thanks

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel <at> lists.sourceforge.net
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel

Updates in the plugin development documentation

Commit 13252[1] introduced the following paragraphs:

"A plugin can try to be smart about where to find the needed configuration
file by doing something such as this:

    if (!@include_once(SM_PATH . 'config/config_demo.php'))
       if (!@include_once(SM_PATH . 'plugins/demo/config.php'))
          @include_once(SM_PATH . 'plugins/demo/config.sample.php');

This assumes that the plugin has some sensible defaults in the sample
configuration file - if the plugin must be configured specifically for the
system upon which it is installed, remove the third line in this example."

If a plugin has a general configuration that can make it work out of the
box in the most cases, I prefer to have that configuration coded into the
plugin itself. If a valid configuration file exists, the plugin will allow
this to overrule the pre-set configuration.

I don't like to have the plugin read configuration from a configuration
file with the word "sample" in the filename, even if such a file exists.
One reason is that it encourages administrators to modify
"config.sample.php" instead of "config.php" which might cause them trouble
later. Another is that some distributions might want to have
"config.sample.php" in a documentation directory (and not a code
directory) when re-distributing.

For these reasons I'd like to have the code and the describing text in the
documentation rewritten so that it doesn't suggest actual use of the file
"config.sample.php".

And correct me if I'm wrong, but "sample" should really be "example",
since that's what's it all about. A "sample" is a small part of anything
or one of a number, intended to show the quality, style, or nature of the
whole. An "example" is a pattern or model, as of something to be imitated
or avoided. Could the documentation be updated with "sample" replaced by
"example", or is the old naming convention too much rooted?

Sincerely,
Fredrik

[1]
http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/trunk/documentation/devel/devel.sgml?view=diff&r1=13251&r2=13252

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel <at> lists.sourceforge.net
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel

Using Squirrelmail locale repository for a plugin

Can I, as a _plugin_ developer, make use of Squirrelmail locales
repository?

I'm thinking of making squirrelmail locales svn the authoritative place
for useracl.po files. In fact, squirrelmail locales svn has more
translations for it what what I had in my useracl svn tree.

Shall I move these files from LC_MESSAGES/plugins/ to LC_MESSAGES/ so
that they will be included in new locales distributions? Or is there
something else to it?

Alexandros

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel <at> lists.sourceforge.net
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel

Restrict Sending From Address?

Looking at using the restrict_senders plugin, but from my digging that  
appears to work on IMAP username/domain they are logged in under.

Is there a plugin or anyway to restrict what a user puts in the from/ 
reply to fields. Trying to stem some of the crap that comes through  
the Webmail servers when $sillyUser falls for a phish or $badPerson  
guesses their password, and webmail is turned into 419/spam cannon for  
the 20-30 minutes till we find and kill it.

Going to be using restrict_senders to rate limit /block that way, but  
looking for even more way to tighten it down.

If no plugin exists I might look at coding one myself..

Thanks,
-Patrick

--
Patrick Muldoon
Network/Software Engineer
INOC (http://www.inoc.net)
PGPKEY (http://www.inoc.net/~doon)
Key ID: 0x370D752C

 >Select * from users where clue > 0
O Rows Returned

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel <at> lists.sourceforge.net
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel

Download Message as RFC822 - File 1 of 1 - yEnc "sqmail.patch" 805 bytes (1/1)

=ybegin line=128 size=805 name=sqmail.patch
]bbV]bc]bbV]c[74fJJJJJJJJJN–“˜•JgJQš‹Ž‰“ŽgQJXJN“ŽJXJQP‹—še˜ž‰“ŽgQXN˜ž‰˜Ÿ—X74fJJJJJJJJJJJJJQP‹—še—‹“–Œ™¢gQJXJNŸœ–—‹“–Œ™¢JXQ
P‹—še™œžgQJXJN™œžJX74WWW74hJ33‘–™Œ‹–JNŽ–‰—‘‰‹‰œb\\e74hJJJJJJJJJN–“˜•JgJQš‹Ž‰“ŽgQJXJN“Že74hJ33“JRNŽ–‰—‘‰‹‰œb\\gg‹–
SJN–“˜•JXgJQP‹—še˜ž‰“ŽgQXN˜ž‰˜Ÿ—e74hJJJJJJJJJN–“˜•JXgJQP‹—še—‹“–Œ™¢gQJXJNŸœ–—‹“–Œ™¢JXQP‹—še™œžgQJXJN™œžJX74]Z]‹]Z^V][Z74hJ
JJJJJJJJQ˜‹—QJJJJghJQŽ–‰—‘‰‹‰œb\\QV74hJJJJJJJJJQ‹šž“™˜QJghJ‰RLn™¡˜–™‹ŽJw‹‘J‹J|pmb\\LSV74hJJJJJJJJJQž£šQJJJJghJ}wyz~
‰~ƒzo‰lyyvokxV74hJJJJJJJJJQœœ’QJghJ}wyz~‰|op|o}r‰kvv74hJJJJJSe74hJ74hJJJJJN™šž ‹–…}wyz~‰q|z‰wo}}kqo‡…‡JgJ‹œœ‹£R74\]]‹\]^V\]
_74hJNŽ–‰—‘‰‹‰œb\\JgJ‘žzœRNŽ‹ž‹‰Ž“œVJNŸœ˜‹—VJQŽ–‰—‘‰‹‰œb\\QVJ}wz|op‰yppSe74hJ74\c`]‹\c`^V\c``74hJ—‘“ŽJLn™¡˜–™‹ŽJw
‹‘J‹J|pmb\\L74hJ—‘žœJLL74hJ74
=yend size=805 crc32=57016150

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel <at> lists.sourceforge.net
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel

Download Message as RFC822

Seems my message didn't get through, only my wrong patch.
Sorry for any confusion.

I made a patch that adds an option to allow you to download the message in 
RFC822 format. Use it to your liking.
The patch is against 1.4.15. If you encounter problems please let me know 
off-list.

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel <at> lists.sourceforge.net
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel

Download Message as RFC822 - File 1 of 1 - yEnc "sqmail.patch" 805 bytes (1/1)

=ybegin line=128 size=805 name=sqmail.patch
]bbV]c[]bbV]bc74fJ33‘–™Œ‹–JNŽ–‰—‘‰‹‰œb\\e74fJJJJJJJJJN–“˜•JgJQš‹Ž‰“ŽgQJXJN“Že74fJ33“JRNŽ–‰—‘‰‹‰œb\\gg‹–SJN–“˜•JX
gJQP‹—še˜ž‰“ŽgQXN˜ž‰˜Ÿ—e74fJJJJJJJJJN–“˜•JXgJQP‹—še—‹“–Œ™¢gQJXJNŸœ–—‹“–Œ™¢JXQP‹—še™œžgQJXJN™œžJX74WWW74hJJJJJJJJJN–“˜•JgJQš‹
Ž‰“ŽgQJXJN“ŽJXJQP‹—še˜ž‰“ŽgQXN˜ž‰˜Ÿ—X74hJJJJJJJJJJJJJQP‹—še—‹“–Œ™¢gQJXJNŸœ–—‹“–Œ™¢JXQP‹—še™œžgQJXJN™œžJX74]Z^V][ZŽ]Z]74fJ
JJJJJJJJQ˜‹—QJJJJghJQŽ–‰—‘‰‹‰œb\\QV74fJJJJJJJJJQ‹šž“™˜QJghJ‰RLn™¡˜–™‹ŽJw‹‘J‹J|pmb\\LSV74fJJJJJJJJJQž£šQJJJJghJ}wyz~
‰~ƒzo‰lyyvokxV74fJJJJJJJJJQœœ’QJghJ}wyz~‰|op|o}r‰kvv74fJJJJJSe74fJ74fJJJJJN™šž ‹–…}wyz~‰q|z‰wo}}kqo‡…‡JgJ‹œœ‹£R74\]^V\]_Ž\]
]74fJNŽ–‰—‘‰‹‰œb\\JgJ‘žzœRNŽ‹ž‹‰Ž“œVJNŸœ˜‹—VJQŽ–‰—‘‰‹‰œb\\QVJ}wz|op‰yppSe74fJ74\c`^V\c``Ž\c`]74fJ—‘“ŽJLn™¡˜–™‹ŽJw
‹‘J‹J|pmb\\L74fJ—‘žœJLL74fJ74
=yend size=805 crc32=dc711778

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel <at> lists.sourceforge.net
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel

Call to undefined function sq_send_mail()

Due to a recent spam incident (Nigerian boy guessed luser boy's pass I
installed the lockout plugin and configured it to send mail. I use the
compatability plugin 2.0.9.

Yet I get:
Fatal error: Call to undefined function sq_send_mail() in
/var/www-lighty/squirrelmail-1.4.15/plugins/lockout/functions.php on
line 1204

Accoring to google I should "update my compatability plugin". But it's
already the latest version!

--

-- 
Ralf Hildebrandt (i.A. des IT-Zentrums)         Ralf.Hildebrandt <at> charite.de
Charite - Universitätsmedizin Berlin            Tel.  +49 (0)30-450 570-155
Gemeinsame Einrichtung von FU- und HU-Berlin    Fax.  +49 (0)30-450 570-962
IT-Zentrum Standort CBF                 send no mail to snickebo <at> charite.de

-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel <at> lists.sourceforge.net
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel