oss-sec mailing list archives
CVE-2010-0463 incomplete horde fixes
From: Nico Golde <oss-security+ml () ngolde de>
Date: Sat, 3 Apr 2010 15:55:22 +0200
Hi, from the CVE id description: | Horde IMP 4.3.6 and earlier does not request that the web browser | avoid DNS prefetching of domain names contained in e-mail messages, | which makes it easier for remote attackers to determine the network | location of the webmail user by logging DNS requests. Additionally: https://secure.grepular.com/DNS_Prefetch_Exposure_on_Thunderbird_and_Webmail In order to fix this horde upstream added: // Build filter stack. Starts with HTML markup and tab expansion. $filters = array( 'text2html' => array( 'charset' => Horde_Nls::getCharset(), // See Ticket #8836 'noprefetch' => ($GLOBALS['browser']->isBrowser('mozilla') && !$GLOBALS['browser']->usingSSLConnection()), 'parselevel' => Horde_Text_Filter_Text2html::MICRO ), 'tabs2spaces' => array(), ); If the noprefetch option is set imp will add <meta http-equiv="x-dns-prefetch-control" value="off" /> to the page. The problem with the above fix is that it is only triggered if the browser is mozilla and the connection is not using SSL. I think this comes from a misunderstanding of the above blog post which states "Using HTTPS rather than HTTP disables DNS prefetching." From my understanding this fix is incomplete because other browsers (e.g. Chrome) do DNS prefetching as well and the assumption that this is disabled using HTTPS is also for mozilla only true in the default configuration. JFYI... Cheers Nico P.S. Cced upstream
Attachment:
_bin
Description:
Current thread:
- CVE-2010-0463 incomplete horde fixes Nico Golde (Apr 03)