Security Basics mailing list archives
Re: php imap
From: Pierre Jaury <pierre () jaury eu>
Date: Mon, 12 Dec 2011 13:56:25 +0100
Does the user have any control over $imap_server_* ? If not (fixed or restricted choice), then ask yourself: should the user be allowed to perform any IMAP operation over those servers. If not, you might validate the input using regexps or even build them from properly satanized metadata. If the user has any control over host and port, then you have to check the banner and exit if anything looks different from proper IMAP server. Then, you might ask the same question: what may the user be allowed to achieve, on which servers, etc. ? On Mon, 2011-12-12 at 13:14 +0100, lifel0ver t0mh3t wrote:
hey! thanks for your answer, ill send more information now: the real connect is just made using some code like fsockopen($imap_server_address, $imap_port .... ); then it checks the auth mechanismus and finally sends input like: fputs ($stream, $sid . ' ' . $mycommand . "\r\n"); so what could lead to? thanks! On 12.12.2011 10:45, Pierre Jaury wrote:Depends on the goal of your application and restriction supposed to be applied to users. This could pretty much lead to accomplish any operation made available by the IMAP server. Even worse : your application could be used as bouncer for any other protocol as long as first sent IMAP commands do not interfere. We need more information about your context and needs to evaluate possible attacks. But yes, this could definitely lead to something. On Sat, 2011-12-10 at 18:50 +0100, lifel0ver t0mh3t wrote:hi guys! im infront of an application that communicates over IMAP with a remote server. this works simply with fsockopen() the applications tries to authenticate then (sending unfiltered input) could this lead to anything? i cant come up with anything thanks! ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
-- Pierre Jaury <pierre () jaury eu> +33(0)1.83.64.80.90 Réalisateur, hébergeur et infogéreur indépendant Internet hosting, outsourcing and development as a freelancer
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: Capturing network traffic and warning if its volume crosses a defined limit, (continued)
- Re: Capturing network traffic and warning if its volume crosses a defined limit Ali Kapucu (Dec 02)
- Re: Capturing network traffic and warning if its volume crosses a defined limit Curtis Duck (Dec 02)
- Re: Capturing network traffic and warning if its volume crosses a defined limit Chris Warren (Dec 02)
- RE: Capturing network traffic and warning if its volume crosses a defined limit Curtis Duck (Dec 02)
- Re: Capturing network traffic and warning if its volume crosses a defined limit Kurth Bemis (Dec 02)
- Re: Capturing network traffic and warning if its volume crosses a defined limit Ali Kapucu (Dec 02)
- RE: Capturing network traffic and warning if its volume crosses a defined limit Pranav Lal (Dec 04)
- Re: Capturing network traffic and warning if its volume crosses a defined limit _ (Dec 05)
- php imap lifel0ver t0mh3t (Dec 12)
- Re: php imap Pierre Jaury (Dec 12)
- Re: php imap lifel0ver t0mh3t (Dec 12)
- Re: php imap Pierre Jaury (Dec 12)
- RE: Capturing network traffic and warning if its volume crosses a defined limit Pranav Lal (Dec 04)