oss-sec mailing list archives
Re: New SMTP smuggling attack
From: Steffen Nurpmeso <steffen () sdaoden eu>
Date: Wed, 01 May 2024 00:48:23 +0200
Mark Esler wrote in <ZjBHOEHylGAaIo57@moon>: |To mitigate future end-of-data sequence attacks, like SMTP Smuggling, MTAs |should comply with RFC 5321 section 4.1.1.4 [0] to strip control |characters other than <SP>, <HT>, <CR>, and <LF> in the DATA section of |SMTP messages. Given that RFC 733 is from 1977 and RFC 822 is from 1982 i feel this entire thread is exaggerating. The smuggling problem solely was rooted in the LF / CRLF "wars" from at minimum the early 70s (Unix and more), with terminal drivers doing auto-translation on-the-fly etc etc etc. The internet history list may be worthwhile for this, or examining the history of Unix programs. Ie, in January i also (funny) talked to John Klensin on an IETF list saying [.]The CR/LF "problem" seems to have been "addressed" in UNIX as early as 1972, ie "6/12/72 STTY (II)" gives 020 map CR into LF; echo LF or CR as LF-CR ... Mode 020 causes input carriage returns to be turned into new-lines; input of either CR or LF causes LF-CR both to be echoed (used for GE TermiNet 300's and other terminals without the newline function). In 1974 it became -nl allow carriage return for new-line, and output CR-LF for carriage return or new-line nl accept only new-line to end lines Which makes me *think* that "Houston, we have a problem" was ACKnowledged, and in order not to be a crook something would have been done about it, saving even a byte per line. But i do not know, this was all military and other high sphere academics by then. Interesting, by the way, that "so many" expensive decisions were deemed necessary[.] --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Current thread:
- Re: New SMTP smuggling attack Mark Esler (Apr 30)
- Re: New SMTP smuggling attack nightmare . yeah27 (Apr 30)
- Re: New SMTP smuggling attack Erik Auerswald (Apr 30)
- Re: New SMTP smuggling attack Steffen Nurpmeso (Apr 30)
- Re: New SMTP smuggling attack Steffen Nurpmeso (May 02)
- Re: New SMTP smuggling attack Solar Designer (May 02)
- Re: New SMTP smuggling attack Mark Esler (May 09)
- Re: New SMTP smuggling attack Erik Auerswald (May 09)
- Re: New SMTP smuggling attack Steffen Nurpmeso (May 02)