[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Phpgroupware-tracker] [bug #15225] mime boundery vulnerable
From: |
Chris Weiss |
Subject: |
[Phpgroupware-tracker] [bug #15225] mime boundery vulnerable |
Date: |
Thu, 15 Dec 2005 13:15:46 -0600 |
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20051010 Firefox/1.0.7 (Ubuntu package 1.0.7) |
URL:
<http://savannah.gnu.org/bugs/?func=detailitem&item_id=15225>
Summary: mime boundery vulnerable
Project: phpGroupWare
Submitted by: cw
Submitted on: Thu 12/15/05 at 13:15
Category: email
Item Group: 0.9.16.009
Severity: 3 - Normal
Priority: 5 - Normal
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Component Version: None
Platform Version: None
Reproducibility: None
Planned Release: None
Fixed Release:
_______________________________________________________
Details:
I don't think this is a security risk, it seems to only prevent the
forwarding of certain attachements. since it's an escaping issue it still
might be a security risk, I'm not good enough with regex to know.
Any email with a boundery containing a / (forward slash) will produce an
error. the reason is that the regex used to pull the attachement to the
forwarded email uses / as the regex delimiter and it's done in a way that
causes preg_replace to think the regex is finished. a sample error is:
Warning: Unknown modifier 'a' in
/var/www/phpgroupware/email/inc/class.bosend.inc.php on line 924
for the boundary of "828723761A.1134664025/mail.domain.com"
"/" is valid in a boundary as per http://www.ietf.org/rfc/rfc2046.txt.
I'll post on the mailing list to find the right "fix", for now escaping the /
works:
$this_boundary = str_replace('/', '\/', $this_boundary);
_______________________________________________________
Carbon-Copy List:
CC Address | Comment
------------------------------------+-----------------------------
address@hidden |
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?func=detailitem&item_id=15225>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Phpgroupware-tracker] [bug #15225] mime boundery vulnerable,
Chris Weiss <=