[Tickets #5892] Re: Linked attachment feature vulnerability
bugs at bugs.horde.org
bugs at bugs.horde.org
Sat Nov 17 19:05:49 UTC 2007
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/?id=5892
-----------------------------------------------------------------------
Ticket | 5892
Updated By | joao_mauricio at clix.pt
Summary | Linked attachment feature vulnerability
Queue | IMP
Version | HEAD
Type | Bug
State | Feedback
Priority | 2. Medium
Owners |
-----------------------------------------------------------------------
joao_mauricio at clix.pt (2007-11-17 11:05) wrote:
The idea is that the server generate one unique id for each of the email
recipients, in such a way that the recipient could only open his own
attachment. Even if the attacker knows a valid id for his evil file, that
id should only work with his own horde account. For the rest of the email
recipients (who don't have accounts), there's no problem, cause the main
problem here is that the file is located and run in the same domain of the
recipient webmail account, that makes possible the attack to happen. If you
have the evil script running on webmail.server1 and the victim has it's
account on webmail.server2, the script won't have the right permissions to
XSS the victim.
For the "webmail.server1 attacker, webmail.server1 victim" problem, I
think that it's possible to check which attachment is "visible" to which
account.
> But the attachments are sent to email _recipients_, who don't have
> accounts. So how do you propose to enforce the uniqueness? The
> attacker could send them any valid id. Secret doesn't matter.
More information about the bugs
mailing list