[imp] IMP 2.2.5: some problems

Brent J. Nordquist bjn@horde.org
Tue, 29 May 2001 07:31:40 -0500 (CDT)


On Mon, 28 May 2001, Fritz Zaucker <zaucker@ee.ethz.ch> wrote:

> However, is there any documentation somewhere what changes were
> introduced in IMP 2.2.5 related to the upload business and why (there
> is nothing in the CHANGES file)?

The relevant entries are these (from imp/docs/CHANGES):

[bjn] SECURITY: Use is_uploaded_file() function to validate all attachment
      uploads (prevent spoofing).
[bjn] SECURITY: Fix attachment upload to use tempnam().  (Jarno Huuskonen
      <Jarno.Huuskonen@uku.fi>)
[cjh] SECURITY: Fix attachment viewers to use tempnam().

The issues:  (1) In two cases, IMP was generating its own temporary files
with predictable names, which made it vulnerable to sym. link (/tmp race)
kinds of attacks by users with local access to the IMP web server.  (2) A
newer PHP function, is_uploaded_file(), is now used to validate that an
attachment temporary file really came through the PHP upload mechanism.

There's also an issue in PHP with mkstemp() (see next question):

> I am having problems understanding the various permission/ownership
> issues involved here (I find the security model of PHP a bit strange).
> [...]
> Perhaps somebody could explain what steps are involved and what the
> ownership/permission issues are?

I think the best source of information is imp/docs/SECURITY.  There are
lots of pointers in there; the first section talks about upload_tmp_dir in
PHP.  I'm not sure if that answers your question; if you have more
specific questions, ask on the list.

> I could also not find any infos in the PHP documentation about
> implications if safe mode).

The consensus seems to be that PHP's safe mode, as it is today, gives a
false sense of security.  You shouldn't rely on it to make your
installation secure.

-- 
Brent J. Nordquist <bjn@horde.org> N0BJN
Yahoo!: Brent_Nordquist / AIM: BrentJNordquist / ICQ: 76158942