[imp] Still security issue with attachments?
Michael M Slusarz
slusarz@bigworm.colorado.edu
Tue, 16 Jul 2002 10:43:15 -0600
Quoting Harald Wilhelmi <harald.wilhelmi@tngtech.com>:
|
| Hello,
|
| a few days ago I looked at the IMP 3.1 code to add a custom feature.
| It seems to me that attachments in IMP 3.1 are handled insecure.
| It's essentially the same issue as discribed in this bugtraq posting:
|
| http://online.securityfocus.com/archive/1/82088
|
| So it should be fixed since 2.2.1. However if I open in IMP 3.1
| a compose window, add a attachment, and look at the HTML I get
| I see:
|
| <input type="hidden" name="attachments_name[]" value="test" />
| <input type="hidden" name="attachments_size[]" value="4" />
| <input type="hidden" name="attachments_file[]"
| value="/tmp/impattdqiqwq" />
| <input type="hidden" name="attachments_type[]"
| value="application/octet-stream" />
| <input type="checkbox" name="delattachments[]"
| value="/tmp/impattdqiqwq" />
|
| I found also nothing in IMP's code to check for unexpected values in
| $HTTP_POST_VARS['attachments_name'] in compose.php.
|
| Did I missed something important? Bug? Feature?
The attachments code has been completely rewritten IN CVS/HEAD and doesn't
use any of these POST fields any more. Unfortunately, there is no way to
port this new code back to IMP 3.x - and the attachments code is not going
to be rewritten in 3.x. Thus, if you use IMP 3.x, you'll have to accept
this behavior (for now).
Also, don't see why ['attachments_name'] needs to be checked - it is not
being used as the temporary filename on the server (this filename is
randomly generated); it is simply the name passed along in the MIME headers.
michael
______________________________________________
Michael Slusarz [slusarz@bigworm.colorado.edu]
The University of Colorado at Boulder