[imp] Still security issue with attachments?

[Michael M Slusarz]

Quoting Harald Wilhelmi <harald.wilhelmi@tngtech.com>:

| 
| Hello,
| 
| a few days ago I looked at the IMP 3.1 code to add a custom feature.
| It seems to me that attachments in IMP 3.1 are handled insecure.
| It's essentially the same issue as discribed in this bugtraq posting:
| 
| 	http://online.securityfocus.com/archive/1/82088
| 
| So it should be fixed since 2.2.1. However if I open in IMP 3.1
| a compose window, add a attachment, and look at the HTML I get
| I see:
| 
|         <input type="hidden" name="attachments_name[]" value="test" />
|         <input type="hidden" name="attachments_size[]" value="4" />
|         <input type="hidden" name="attachments_file[]"
| value="/tmp/impattdqiqwq" />
|         <input type="hidden" name="attachments_type[]"
| value="application/octet-stream" />
|         <input type="checkbox" name="delattachments[]"
| value="/tmp/impattdqiqwq" />
| 
| I found also nothing in IMP's code to check for unexpected values in
| $HTTP_POST_VARS['attachments_name'] in compose.php.
| 
| Did I missed something important? Bug? Feature?

The attachments code has been completely rewritten IN CVS/HEAD and doesn't 
use any of these POST fields any more.  Unfortunately, there is no way to 
port this new code back to IMP 3.x - and the attachments code is not going 
to be rewritten in 3.x.  Thus, if you use IMP 3.x, you'll have to accept 
this behavior (for now).

Also, don't see why ['attachments_name'] needs to be checked - it is not 
being used as the temporary filename on the server (this filename is 
randomly generated); it is simply the name passed along in the MIME headers.

michael

______________________________________________
Michael Slusarz [slusarz@bigworm.colorado.edu]
The University of Colorado at Boulder