Bugtraq mailing list archives
Re: [imp] FW: Horde library Bug part 2
From: Chuck Hagenbuch <chuck () HORDE ORG>
Date: Mon, 18 Sep 2000 15:54:14 -0400
Quoting Darron Froese <darron () froese org>:
* Horde Library $from Bug part 2 + How to exploit with IMP and Sendmail *
An actual fix to this problem has been committed to the Horde 1.2 and Horde 1.3 cvs trees. Horde 1.2.2 (accompanied by IMP 2.2.2) should be released shortly to make the fix generally available. A patch to upgrade horde/lib/horde.lib (the file where the critical fix is applied) from the 1.2.1 version to the fixed version is available here: http://cvs.horde.org/cvsweb.pl/lib/Attic/horde.lib.diff?cvsroot=horde&r1=1.1.2.24%3AHORDE_1_2_1&tr1=1.1&r2=text&tr2=1.1.2.29&f=u (beware wrapped lines)
Workaround: The "$from" var has to be checked for "-" chars following the space character. Passing those chars unfiltered will nearly always lead to exploitable bugs or errors. As neither a mail address nor a name with a leading minus sign does make sense, here is a small patch that converts every minus at the beginning of a word into an underscore: http://ssl.coc-ag.de/sec/index.htm#horde02
Instead, we simply refuse to send the email if an address is specified which contains spaces in the user@host portion of the address. We also put the address following sendmail -f in double quotes, escaping any shell characters inside it.
Fix: Best solution would be generally not to pass vars to popen(), but rather opening the pipe to Sendmail by calling popen("$default->path_to_Sendmail -t) and putting all available information into the mail header. This requires some extra checking and converting, but secures the system a lot.
Unfortunately, doing so would remove our ability to correctly set the envelope From address of emails sent out, which would result in some users being unable to post to mailing lists, among other things.
Feedback: Please send suggestions, updates, and comments to mailto: security () coc-ag net http://ssl.coc-ag.de/sec
As I understand it, it is considered courteous to give a project at least a day to respond to security bugs to provide an official fix to accompany the announcement. I realize that this was a follow-up to a previous disclosure, but is 24 hours notice too much to ask?0
References: Both projects (Horde and IMP) of the horde group can be found at http://horde.org Despite those few bugs, these people there have really done a great job on free software.
Why thank you. -chuck -- Charles Hagenbuch, <chuck () horde org> -- "Every new beginning comes from some other beginning's end." - Semisonic
Current thread:
- Horde library Bug part 2 Steube, Jens (Sep 18)
- Message not available
- Re: [imp] FW: Horde library Bug part 2 Chuck Hagenbuch (Sep 19)
- Message not available
- <Possible follow-ups>
- Re: Horde library Bug part 2 John Riddoch (Sep 19)