[Tickets #5892] Re: Linked attachment feature vulnerability

bugs at bugs.horde.org bugs at bugs.horde.org
Sat Nov 17 19:05:49 UTC 2007


DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/?id=5892
-----------------------------------------------------------------------
 Ticket             | 5892
 Updated By         | joao_mauricio at clix.pt
 Summary            | Linked attachment feature vulnerability
 Queue              | IMP
 Version            | HEAD
 Type               | Bug
 State              | Feedback
 Priority           | 2. Medium
 Owners             | 
-----------------------------------------------------------------------


joao_mauricio at clix.pt (2007-11-17 11:05) wrote:

The idea is that the server generate one unique id for each of the email
recipients, in such a way that the recipient could only open his own
attachment. Even if the attacker knows a valid id for his evil file, that
id should only work with his own horde account. For the rest of the email
recipients (who don't have accounts), there's no problem, cause the main
problem here is that the file is located and run in the same domain of the
recipient webmail account, that makes possible the attack to happen. If you
have the evil script running on webmail.server1 and the victim has it's
account on webmail.server2, the script won't have the right permissions to
XSS the victim.
For the "webmail.server1 attacker, webmail.server1 victim" problem, I
think that it's possible to check which attachment is "visible" to which
account.

> But the attachments are sent to email _recipients_, who don't have 
> accounts. So how do you propose to enforce the uniqueness? The 
> attacker could send them any valid id. Secret doesn't matter.




More information about the bugs mailing list