From ziba at umich.edu  Mon Apr  7 17:01:46 2008
From: ziba at umich.edu (Ziba Scott)
Date: Mon, 07 Apr 2008 13:01:46 -0400
Subject: [imp] Mail.app mail forwarding issue w/ 4.2RC3 / HEAD
Message-ID: <47FA537A.3060608@umich.edu>

Hi,

I've been working with Liam on the Apple Mail, multiple html tag issue.

Quoting Michael M Slusarz <slusarz <at> horde.org>:


> > Actually, I'm pretty sure that our HTML filter (specifically the preg  
> > regex I just fixed a week or two ago) will prevent this message from  
> > ever showing fully because it will purge all text after the 1st  
> > closing html tag.
>   


The xss filter (Text_Filter/Filter/xss.php) contains regular expressions
which strip html and body tags and anything outside of them. 

I know it's not Horde's responsibility to write workarounds for every
buggy mail client, but I think there is a small change that can be made
to accommodate multiple html or body tags without affecting the level of
xss protection.

The xss filter could comment out the html and body tags, instead of
stripping them and everything outside:
<!--<html>-->Begin forwarded message:<!--</html>-->

I'm unclear on the benefit of stripping everything outside of the html
tags if you've already commented them out.  Making this change shouldn't
allow a malicious user to get anything into the message that they
couldn't otherwise.

Here's a small patch with my proposed changes:

RCS file: /repository/framework/Text_Filter/Filter/xss.php,v
retrieving revision 1.12
diff -r1.12 xss.php
75,76c75,76
<             $patterns['/.*<(body|html)[^>]*>/si'] = '';
<             $patterns['/<\/(body|html)>.*/si'] = '';
---
>             $patterns['/(<body[^>]*>|<html[^>]*>)/si'] = '<!--\1--!>';
>             $patterns['/(<\/(body|html)>)/si'] = '<!--\1--!>';


Thanks,
Ziba






From slusarz at horde.org  Mon Apr  7 17:18:32 2008
From: slusarz at horde.org (Michael M Slusarz)
Date: Mon, 07 Apr 2008 11:18:32 -0600
Subject: [imp] Mail.app mail forwarding issue w/ 4.2RC3 / HEAD
In-Reply-To: <47FA537A.3060608@umich.edu>
References: <47FA537A.3060608@umich.edu>
Message-ID: <20080407111832.129672m4rhibe5q8@bigworm.curecanti.org>

Quoting Ziba Scott <ziba at umich.edu>:

> Hi,
>
> I've been working with Liam on the Apple Mail, multiple html tag issue.
>
> Quoting Michael M Slusarz <slusarz <at> horde.org>:
>
>
>> > Actually, I'm pretty sure that our HTML filter (specifically the preg
>> > regex I just fixed a week or two ago) will prevent this message from
>> > ever showing fully because it will purge all text after the 1st
>> > closing html tag.
>>
>
>
> The xss filter (Text_Filter/Filter/xss.php) contains regular expressions
> which strip html and body tags and anything outside of them.
>
> I know it's not Horde's responsibility to write workarounds for every
> buggy mail client, but I think there is a small change that can be made
> to accommodate multiple html or body tags without affecting the level of
> xss protection.
>
> The xss filter could comment out the html and body tags, instead of
> stripping them and everything outside:
> <!--<html>-->Begin forwarded message:<!--</html>-->
>
> I'm unclear on the benefit of stripping everything outside of the html
> tags if you've already commented them out.  Making this change shouldn't
> allow a malicious user to get anything into the message that they
> couldn't otherwise.
>
> Here's a small patch with my proposed changes:
>
> RCS file: /repository/framework/Text_Filter/Filter/xss.php,v
> retrieving revision 1.12
> diff -r1.12 xss.php
> 75,76c75,76
> <             $patterns['/.*<(body|html)[^>]*>/si'] = '';
> <             $patterns['/<\/(body|html)>.*/si'] = '';
> ---
>>             $patterns['/(<body[^>]*>|<html[^>]*>)/si'] = '<!--\1--!>';
>>             $patterns['/(<\/(body|html)>)/si'] = '<!--\1--!>';
>
>
> Thanks,
> Ziba

Just so this doesn't get lost, could you put this information in a  
ticket (http://bugs.horde.org/)?  Thanks.

michael

-- 
___________________________________
Michael Slusarz [slusarz at horde.org]


From chuck at horde.org  Mon Apr  7 17:27:40 2008
From: chuck at horde.org (Chuck Hagenbuch)
Date: Mon, 07 Apr 2008 13:27:40 -0400
Subject: [imp] Mail.app mail forwarding issue w/ 4.2RC3 / HEAD
In-Reply-To: <20080407111832.129672m4rhibe5q8@bigworm.curecanti.org>
References: <47FA537A.3060608@umich.edu>
	<20080407111832.129672m4rhibe5q8@bigworm.curecanti.org>
Message-ID: <20080407132740.88105n31h25sp8ws@technest.org>


>> I'm unclear on the benefit of stripping everything outside of the html
>> tags if you've already commented them out.  Making this change shouldn't
>> allow a malicious user to get anything into the message that they
>> couldn't otherwise.
>>
>> Here's a small patch with my proposed changes:
>>
>> RCS file: /repository/framework/Text_Filter/Filter/xss.php,v
>> retrieving revision 1.12
>> diff -r1.12 xss.php
>> 75,76c75,76
>> <             $patterns['/.*<(body|html)[^>]*>/si'] = '';
>> <             $patterns['/<\/(body|html)>.*/si'] = '';
>> ---
>>>             $patterns['/(<body[^>]*>|<html[^>]*>)/si'] = '<!--\1--!>';
>>>             $patterns['/(<\/(body|html)>)/si'] = '<!--\1--!>';

For the record, I am opposed to this unless you can supply a test  
suite that assures us (as it's probably impossible to prove) that this  
CANNOT result in injecting something that gets out of those comments.  
Including any attributes on the body or html tags in the comment, in  
particular, seems VERY exploitable to me.

And I'm probably against this for 3.2 anyway since I don't want to  
take a chance of introducing a regression in our XSS filters.

-chuck

-- 
"I have concerns that we are not behaving like a mature, responsible,  
collection of interdependent organisms." - Rick O.

From chuck at horde.org  Mon Apr  7 18:21:18 2008
From: chuck at horde.org (Chuck Hagenbuch)
Date: Mon, 07 Apr 2008 14:21:18 -0400
Subject: [imp] Mail.app mail forwarding issue w/ 4.2RC3 / HEAD
In-Reply-To: <47FA5F2F.6080502@umich.edu>
References: <47FA537A.3060608@umich.edu>
	<20080407111832.129672m4rhibe5q8@bigworm.curecanti.org>
	<20080407132740.88105n31h25sp8ws@technest.org>
	<47FA5F2F.6080502@umich.edu>
Message-ID: <20080407142118.16929am6rpe1d8o0@technest.org>

Please keep discussions on the lists.

Quoting Ziba Scott <ziba at umich.edu>:

> Maybe it would be better to just strip out the tags themselves (but not
> everything outside of the tags).  I don't see much value in keeping
> commented out html around:
>
> $patterns['/(<body[^>]*>|<html[^>]*>)/si'] = '';
> $patterns['/(<\/(body|html)>)/si'] = '';

That seems better to me.

> Stripping only the tags versus stripping the tags and outside of the
> tags doesn't give the attacker any new opportunities.  In the current
> system, the attacker just has to put their evil inside the html tags and
> it will not be removed.

Well, assuming it's not caught by anything else, but yes. My concern  
was not copying over attributes from html/body tags into comments.

> Can you elaborate on what you would like to see from me to be
> comfortable including an xss filter change?

If you look in framework/Text_Filter/tests/, there are a number of xss  
tests (all run by xss.phpt, I believe). Making sure that all of those  
still pass, and possibly adding some new tests that ensure that  
malicious code broken up into multiple <html> or <body> tags is still  
escape, would be the minimum.

Thanks,
-chuck

-- 
"I have concerns that we are not behaving like a mature, responsible,  
collection of interdependent organisms." - Rick O.

From roland.kronqvist at startspark.net  Mon Apr  7 19:40:19 2008
From: roland.kronqvist at startspark.net (Roland Kronqvist)
Date: Mon, 7 Apr 2008 22:40:19 +0300
Subject: [imp] Blank window when sending mail with IMP
Message-ID: <000901c898e7$36bfdcb0$3301a8c0@startspark.local>

Hello!

When I try to send mail with IMP I get a blank window when I press "Send message" and no message is sent. Also, when I have got a new message, IMP is just showing the
tabs headline, so much that I just know that I've got a message, but no messages that I can click on and open. I'm using PHP 4.4.8 on IIS 6

Best regards,
Roland Kronqvist

From anadeem_ch at yahoo.com  Tue Apr  8 05:46:33 2008
From: anadeem_ch at yahoo.com (Muhammad Ashraf Nadeem)
Date: Mon, 7 Apr 2008 22:46:33 -0700 (PDT)
Subject: [imp] unable to exec qq error no 4.3.0
Message-ID: <925683.96985.qm@web65611.mail.ac4.yahoo.com>

Hi List
while configuring horde-groupware-webmail-1.0.4, I cannot send mail . the error is 

"There was an error sending your message. Failed to send data SMTP: Invalid response code received from server( code:451 response Unable to exec qq(#4.3.0)"

I am using qmail1.03( of life with qmail) as SMTP server. message sending is successful when i use thunderbird or other mail program. but when i want to send mail using horde and imp then the above error comes. I increases the softlimit from15000000 to 400000000 .but still the problem persists.
 
 how do i get rid of the problem.
thanks.
A.Nadeem
 


      ____________________________________________________________________________________
You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.  
http://tc.deals.yahoo.com/tc/blockbuster/text5.com

From imp at aussec.com  Thu Apr 10 08:04:56 2008
From: imp at aussec.com (tom burkart)
Date: Thu, 10 Apr 2008 18:04:56 +1000
Subject: [imp] Possible issue with imp
In-Reply-To: <20080329211716.62665ceblt5lek1s@bigworm.curecanti.org>
References: <20080327130439.xkkbayyzgh448gko@www.aussec.com>
	<20080329201036.833064b39i27r63g@bigworm.curecanti.org>
	<20080330125729.qhae6sz0a9wggowo@www.aussec.com>
	<20080329211716.62665ceblt5lek1s@bigworm.curecanti.org>
Message-ID: <20080410180456.7z9dzqgess00c0kc@www.aussec.com>

Quoting Michael M Slusarz <slusarz at horde.org>:

>>> No.  That message views fine here (using the latest HEAD version).
>> Ok, given that I am on the latest stable release, how can I verify
>> whether this is an issue on my part or an issue on one of the
>> prerequisites or actually an issue on horde's part?  Go to HEAD?
> That's going to be the easiest way to to rule IMP out.
Ok, after lots of fighting with the thing I finally have  
horde/framework/imp running on a test system.

Indeed it does run fine on HEAD.

However, HEAD is way different to STABLE.  So we are comparing apples  
with oranges.  Hence, in my mind the issue is far from resolved.

I guess the main questions are:

- Is HEAD stable enough to use on a production server?
   - How do I upgrade/clean the database to make it work properly with  
HEAD (starting from scratch is not an option)?

- I have usually built RPMs to allow easy upgrade of the system.   
However, the way the framework wants to be installed makes packaging  
very difficult to say the least.  How can I get around this?

tom



From marcelo at marcelopedra.com.ar  Thu Apr 10 14:04:13 2008
From: marcelo at marcelopedra.com.ar (Marcelo Pedra)
Date: Thu, 10 Apr 2008 11:04:13 -0300
Subject: [imp] Attachments zero sized at composing time
Message-ID: <019401c89b13$cf26f5a0$e825fac9@NOSEASRATA>

Hi there people.

I and our customers, like with another users of cPanel are getting problems when using Horde webmail and want to add any kind of attachments when composing mails: it doesn't matter what the extension of the attached file be, it will weighs always 0.00 bytes. The problem began since the last security update done by cPanel, which upgraded Horde to 3.1.7. this problem also set to zero bytes the attachments when forwarding messages.

We have an entry for this problem at the cPanel users forum:
http://forums.cpanel.net/showthread.php?t=77551

Any kind of solution is needed to solve this. Please HELP!

Best regards,

Marcelo Pedra


From chuck at horde.org  Thu Apr 10 15:01:22 2008
From: chuck at horde.org (Chuck Hagenbuch)
Date: Thu, 10 Apr 2008 11:01:22 -0400
Subject: [imp] Attachments zero sized at composing time
In-Reply-To: <019401c89b13$cf26f5a0$e825fac9@NOSEASRATA>
References: <019401c89b13$cf26f5a0$e825fac9@NOSEASRATA>
Message-ID: <20080410110122.52801gmw252ggm3o@technest.org>

Quoting Marcelo Pedra <marcelo at marcelopedra.com.ar>:

> I and our customers, like with another users of cPanel are getting  
> problems when using Horde webmail and want to add any kind of  
> attachments when composing mails: it doesn't matter what the  
> extension of the attached file be, it will weighs always 0.00 bytes.  
> The problem began since the last security update done by cPanel,  
> which upgraded Horde to 3.1.7. this problem also set to zero bytes  
> the attachments when forwarding messages.

Unless they've fixed it since, that security update does not contain  
the correct fix and isn't the real Horde 3.1.7. You should probably  
run your own Horde install instead of using cPanel's.

> We have an entry for this problem at the cPanel users forum:
> http://forums.cpanel.net/showthread.php?t=77551

The forum isn't accessible without being logged in. And we as Horde  
developers don't know what code cPanel provides under the name "horde".

All I can suggest for now is http://wiki.horde.org/FAQ/Admin/FileUploads

-chuck

-- 
"I have concerns that we are not behaving like a mature, responsible,  
collection of interdependent organisms." - Rick O.

From esheesle at shadowlair.com  Sun Apr 13 19:49:14 2008
From: esheesle at shadowlair.com (Eric Sheesley)
Date: Sun, 13 Apr 2008 15:49:14 -0400
Subject: [imp] DIMP and GnuPG
Message-ID: <480263BA.90507@shadowlair.com>

I've been using IMP for some time now and decided to grab the most 
recent betas and play.  I love the Dynamic interface that dimp offers. 
My only question, is there a way to use gpg to encrypt/sign messages via 
the dynamic interface and are their plans to include that functionality 
at some point if not?

Thanks,
Eric