phpgroupware-tracker
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Phpgroupware-tracker] [bug #15225] mime boundery vulnerable

From: Chris Weiss
Subject: [Phpgroupware-tracker] [bug #15225] mime boundery vulnerable
Date: Thu, 15 Dec 2005 13:15:46 -0600
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20051010 Firefox/1.0.7 (Ubuntu package 1.0.7) 
URL:
  <http://savannah.gnu.org/bugs/?func=detailitem&item_id=15225>

                 Summary: mime boundery vulnerable
                 Project: phpGroupWare
            Submitted by: cw
            Submitted on: Thu 12/15/05 at 13:15
                Category: email
              Item Group: 0.9.16.009
                Severity: 3 - Normal
                Priority: 5 - Normal
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
       Component Version: None
        Platform Version: None
         Reproducibility: None
         Planned Release: None
           Fixed Release: 

    _______________________________________________________

Details:

I don't think this is a security risk, it seems to only prevent the
forwarding of certain attachements.  since it's an escaping issue it still
might be a security risk, I'm not good enough with regex to know.

Any email with a boundery containing a / (forward slash) will produce an
error.  the reason is that the regex used to pull the attachement to the
forwarded email uses / as the regex delimiter and it's done in a way that
causes preg_replace to think the regex is finished.  a sample error is:
 Warning: Unknown modifier 'a' in
/var/www/phpgroupware/email/inc/class.bosend.inc.php on line 924

for the boundary of "828723761A.1134664025/mail.domain.com"

"/" is valid in a boundary as per http://www.ietf.org/rfc/rfc2046.txt.

I'll post on the mailing list to find the right "fix", for now escaping the /
works:
$this_boundary = str_replace('/', '\/', $this_boundary);




    _______________________________________________________

Carbon-Copy List:

CC Address                          | Comment
------------------------------------+-----------------------------
address@hidden              | 




    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?func=detailitem&item_id=15225>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]