Home page logo

bugtraq logo Bugtraq mailing list archives

Re: [imp] FW: Horde library Bug part 2
From: Chuck Hagenbuch <chuck () HORDE ORG>
Date: Mon, 18 Sep 2000 15:54:14 -0400

Quoting Darron Froese <darron () froese org>:

* Horde Library $from Bug part 2 + How to exploit with IMP and Sendmail *

An actual fix to this problem has been committed to the Horde 1.2 and Horde
1.3 cvs trees. Horde 1.2.2 (accompanied by IMP 2.2.2) should be released
shortly to make the fix generally available. A patch to upgrade
horde/lib/horde.lib (the file where the critical fix is applied) from the
1.2.1 version to the fixed version is available here:


(beware wrapped lines)

Workaround:     The "$from" var has to be checked for "-" chars following
                the space character. Passing those chars unfiltered will
                nearly always lead to exploitable bugs or errors.
                As neither a mail address nor a name with a leading minus
                sign does make sense, here is a small patch that converts
                every minus at the beginning of a word into an underscore:


Instead, we simply refuse to send the email if an address is specified which
contains spaces in the user () host portion of the address. We also put the
address following sendmail -f in double quotes, escaping any shell
characters inside it.

Fix:            Best solution would be generally not to pass vars to
                popen(), but rather opening the pipe to Sendmail by calling
                popen("$default->path_to_Sendmail -t)
                and putting all available information into the mail header.
                This requires some extra checking and converting, but
                secures the system a lot.

Unfortunately, doing so would remove our ability to correctly set the
envelope From address of emails sent out, which would result in some users
being unable to post to mailing lists, among other things.

Feedback:       Please send suggestions, updates, and comments to

                mailto: security () coc-ag net

As I understand it, it is considered courteous to give a project at least a
day to respond to security bugs to provide an official fix to accompany the
announcement. I realize that this was a follow-up to a previous disclosure,
but is 24 hours notice too much to ask?0

References:     Both projects (Horde and IMP) of the horde group can be
                found at http://horde.org
                Despite those few bugs, these people there have really
                done a great job on free software.

Why thank you.


Charles Hagenbuch, <chuck () horde org>
"Every new beginning comes from some other beginning's end." - Semisonic

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]