Fix: False Positives in CVE-2002-1131 (SquirrelMail Fingerprint)

[Eren-Akdag]

PR Information

This PR updates the CVE-2002-1131 (SquirrelMail 1.2.6/1.2.7 Cross-Site Scripting) nuclei template to address a significant False Positive issue.

Motivation:
During our routine vulnerability scanning, we noticed that this template triggers False Positives against actual corporate assets or poorly-configured web endpoints (e.g., misconfigured proxies, custom SSO login portals, error default pages) that blindly echo back any user input appended to the URL as raw HTML content. Because the previous template solely relied on detecting the payload string (</script><script>alert(document.domain)</script>) alongside a 200 OK status and a text/html header, these generic responses incorrectly triggered high-severity XSS alerts, even when the asset was completely unrelated to SquirrelMail.

Solution Introduced:
To improve the fidelity of the template and align with ProjectDiscovery best practices, a Product Fingerprinting matcher has been introduced.

      - type: word
        part: body
        words:
          - "SquirrelMail"
        case-insensitive: true

By ensuring the underlying technology is explicitly identified within the response body footprint, this change completely eliminates false positives caused by generic reflection, while ensuring there are zero false negatives against legitimate vulnerable targets.

• Updated http/cves/2002/CVE-2002-1131.yaml
• References:
  • NVD - CVE-2002-1131
  • Exploit-DB 21811

Template validation

• Validated with a host running a vulnerable version and/or configuration (True Positive)
• Validated with a host running a patched version and/or configuration (avoid False Positive)

Additional Details

Prior to this update, a typical reflection scenario causing a False Positive looked like this:

Request Payload Sent	Server Response Header	Server Response Body (RAW)
GET /src/addressbook.php?%3C%... HTTP/1.1 Host: [REDACTED_CORPORATE_ASSET]	HTTP/1.1 200 OK Server: nginx Content-Type: text/html	... <input value="/SIPManagement/servlet?</script><script>alert(document.domain)</script>=" name="lastUrl" type="hidden"> ...

As observed above, the payload is blindly reflected back inside a hidden input field of a completely different application. Since the word "SquirrelMail" is missing, the new template successfully skips this junk endpoint.

Debugging & Validation Flow:

# 1. Validation against a known false positive endpoint
$ nuclei -t http/cves/2002/CVE-2002-1131.yaml -u https://[REDACTED_FALSE_POSITIVE] -fhr

[INF] Executing 1 signed templates from projectdiscovery/nuclei-templates
[INF] Targets loaded for current scan: 1
[INF] Scan completed in 1.450s. No results found.  ✅ (False Positive Eliminated)

# 2. Validation against a real SquirrelMail environment (True Positive Target)
$ nuclei -t http/cves/2002/CVE-2002-1131.yaml -u https://[REDACTED_SQUIRRELMAIL_HOST] -fhr

[CVE-2002-1131] [http] [high] https://[REDACTED_SQUIRRELMAIL_HOST]/src/addressbook.php?...
[INF] Scan completed in 1.890s. 1 matches found.   ✅ (No False Negatives)

None of the prerequisites are obligatory; they are merely intended to speed the review process.

Additional References:

• Nuclei Template Creation Guideline
• Nuclei Template Matcher Guideline
• Nuclei Template Contribution Guideline
• PD-Community Discord server

[neo-by-projectdiscovery-dev]

Neo - Nuclei Template Review

No security issues found

Highlights

• Adds case-insensitive 'SquirrelMail' word matcher to CVE-2002-1131 template
• Prevents false positives against generic reflection endpoints
• Maintains detection accuracy for actual vulnerable SquirrelMail installations

Hardening Notes

• ✅ No ReDoS vulnerabilities - uses simple word matching (type: word), not regex patterns
• ✅ No template bypass vulnerabilities - proper AND conditions require both payload reflection AND SquirrelMail fingerprint
• ✅ No injection vulnerabilities - no attacker-controlled input, payloads correctly URL-encoded
• ✅ No information disclosure risks - template only detects known vulnerabilities
• ✅ No logic errors - fingerprinting correctly strengthens detection fidelity
• Template follows ProjectDiscovery best practices for vulnerability detection
• User validated against both vulnerable and patched targets per PR description

_{Comment @pdneo help for available commands. · Open in Neo}

[pussycat0x]

Hi @Eren-Akdag, Thank you for updating this template with the community and for your contribution to this project. Your efforts are greatly appreciated. Cheers!

[Eren-Akdag]

Hi @pussycat0x, thanks! Happy to contribute 🙌