mailing list archives
Re: [imp] FW: Horde library Bug part 2
From: Chuck Hagenbuch <chuck () HORDE ORG>
Date: Mon, 18 Sep 2000 15:54:14 -0400
Quoting Darron Froese <darron () froese org>:
* Horde Library $from Bug part 2 + How to exploit with IMP and Sendmail *
An actual fix to this problem has been committed to the Horde 1.2 and Horde
1.3 cvs trees. Horde 1.2.2 (accompanied by IMP 2.2.2) should be released
shortly to make the fix generally available. A patch to upgrade
horde/lib/horde.lib (the file where the critical fix is applied) from the
1.2.1 version to the fixed version is available here:
(beware wrapped lines)
Workaround: The "$from" var has to be checked for "-" chars following
the space character. Passing those chars unfiltered will
nearly always lead to exploitable bugs or errors.
As neither a mail address nor a name with a leading minus
sign does make sense, here is a small patch that converts
every minus at the beginning of a word into an underscore:
Instead, we simply refuse to send the email if an address is specified which
contains spaces in the user () host portion of the address. We also put the
address following sendmail -f in double quotes, escaping any shell
characters inside it.
Fix: Best solution would be generally not to pass vars to
popen(), but rather opening the pipe to Sendmail by calling
and putting all available information into the mail header.
This requires some extra checking and converting, but
secures the system a lot.
Unfortunately, doing so would remove our ability to correctly set the
envelope From address of emails sent out, which would result in some users
being unable to post to mailing lists, among other things.
Feedback: Please send suggestions, updates, and comments to
mailto: security () coc-ag net
As I understand it, it is considered courteous to give a project at least a
day to respond to security bugs to provide an official fix to accompany the
announcement. I realize that this was a follow-up to a previous disclosure,
but is 24 hours notice too much to ask?0
References: Both projects (Horde and IMP) of the horde group can be
found at http://horde.org
Despite those few bugs, these people there have really
done a great job on free software.
Why thank you.
Charles Hagenbuch, <chuck () horde org>
"Every new beginning comes from some other beginning's end." - Semisonic
- Horde library Bug part 2 Steube, Jens (Sep 18)
- Message not available
- Re: [imp] FW: Horde library Bug part 2 Chuck Hagenbuch (Sep 19)