SA-CONTRIB-2012-154 - Basic webmail - Multiple vulnerabilities

This module allows site users to read and write e-mail through an IMAP mail server.

There are four issues being addressed by this security advisory:

• The module doesn’t sufficiently sanitize data when setting page title.
• The module may store Drupal login IDs and passwords in plain text in the data column of the users table.
• The module doesn’t sufficiently sanitize data displayed from email messages.
• The module allows users who have the ‘access basic_webmail’ permission to view the e-mail address of other site users.

CVE identifier(s) issued

• XSS: CVE-2012-5569
• Information disclosure: CVE-2012-5570

Versions affected

• Basic webmail 6.x-1.x versions prior to 6.x-1.2.

Drupal core is not affected. If you do not use the contributed Basic webmail module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Basic webmail module for Drupal 6.x, upgrade to Basic webmail 6.x-1.2

Also see the Basic webmail project page.

Reported by

• Hunter Fox provisional member of the Drupal Security Team

Fixed by

• Jason Flatt the module maintainer
• Hunter Fox provisional member of the Drupal Security Team

Coordinated by

• Hunter Fox provisional member of the Drupal Security Team
• Ben Jeavons of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team