[Tickets #5892] Re: Linked attachment feature vulnerability
bugs at bugs.horde.org
bugs at bugs.horde.org
Sat Nov 17 18:46:26 UTC 2007
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/?id=5892
-----------------------------------------------------------------------
Ticket | 5892
Updated By | Chuck Hagenbuch <chuck at horde.org>
Summary | Linked attachment feature vulnerability
Queue | IMP
Version | HEAD
Type | Bug
State | Feedback
Priority | 2. Medium
Owners |
-----------------------------------------------------------------------
Chuck Hagenbuch <chuck at horde.org> (2007-11-17 10:46) wrote:
> What is needed is not an unique id, it's a secret and unique id.. on
> gmail, for example, each rcpt receives an unique and secret id in his
> url, including the sender. A timestamp concatenated with a
> pseudo-random id, or something like that may be a solution.
But the attachments are sent to email _recipients_, who don't have
accounts. So how do you propose to enforce the uniqueness? The attacker
could send them any valid id. Secret doesn't matter.
More information about the bugs
mailing list