Re: php imap

[Pierre Jaury <pierre () jaury eu>]

Does the user have any control over $imap_server_* ?
If not (fixed or restricted choice), then ask yourself: should the user
be allowed to perform any IMAP operation over those servers. If not, you
might validate the input using regexps or even build them from properly
satanized metadata.

If the user has any control over host and port, then you have to check
the banner and exit if anything looks different from proper IMAP server.
Then, you might ask the same question: what may the user be allowed to
achieve, on which servers, etc. ?

On Mon, 2011-12-12 at 13:14 +0100, lifel0ver t0mh3t wrote: 
> hey!
> thanks for your answer, ill send more information now:
>
> the real connect is just made using some code like
>
> fsockopen($imap_server_address, $imap_port .... );
> then it checks the auth mechanismus
> and finally sends input
> like:
> fputs ($stream, $sid . ' ' . $mycommand . "\r\n");
>
> so what could lead to?
>
> thanks!
>
> On 12.12.2011 10:45, Pierre Jaury wrote:
> > Depends on the goal of your application and restriction supposed to be
> > applied to users. This could pretty much lead to accomplish any
> > operation made available by the IMAP server.
> >
> > Even worse : your application could be used as bouncer for any other
> > protocol as long as first sent IMAP commands do not interfere.
> >
> > We need more information about your context and needs to evaluate
> > possible attacks. But yes, this could definitely lead to something.
> >
> > On Sat, 2011-12-10 at 18:50 +0100, lifel0ver t0mh3t wrote:
> > > hi guys!
> > >
> > > im infront of an application that communicates over IMAP with a remote
> > > server.
> > > this works simply with fsockopen()
> > > the applications tries to authenticate then (sending unfiltered input)
> > >
> > > could this lead to anything?
> > > i cant come up with anything
> > >
> > > thanks!
> > >
> > > ------------------------------------------------------------------------
> > > Securing Apache Web Server with thawte Digital Certificate
> > > In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> > > how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> > > purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> > > set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> > > certificates.
> > >
> > > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> > > ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------

-- 
Pierre Jaury <pierre () jaury eu> +33(0)1.83.64.80.90
Réalisateur, hébergeur et infogéreur indépendant
Internet hosting, outsourcing and development as a freelancer

Attachment: signature.asc
Description: This is a digitally signed message part