URL:
<http://savannah.gnu.org/bugs/?func=detailitem&item_id=15225>
Summary: mime boundery vulnerable
Project: phpGroupWare
Submitted by: cw
Submitted on: Thu 12/15/05 at 13:15
Category: email
Item Group: 0.9.16.009
Severity: 3 - Normal
Priority: 5 - Normal
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Component Version: None
Platform Version: None
Reproducibility: None
Planned Release: None
Fixed Release:
_______________________________________________________
Details:
I don't think this is a security risk, it seems to only prevent the
forwarding of certain attachements. since it's an escaping issue it still
might be a security risk, I'm not good enough with regex to know.
Any email with a boundery containing a / (forward slash) will produce an
error. the reason is that the regex used to pull the attachement to the
forwarded email uses / as the regex delimiter and it's done in a way that
causes preg_replace to think the regex is finished. a sample error is:
Warning: Unknown modifier 'a' in
/var/www/phpgroupware/email/inc/class.bosend.inc.php on line 924
for the boundary of "828723761A.1134664025/mail.domain.com"
"/" is valid in a boundary as per http://www.ietf.org/rfc/rfc2046.txt.
I'll post on the mailing list to find the right "fix", for now escaping the /
works:
$this_boundary = str_replace('/', '\/', $this_boundary);
_______________________________________________________
Carbon-Copy List:
CC Address | Comment
------------------------------------+-----------------------------
[EMAIL PROTECTED] |
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?func=detailitem&item_id=15225>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
_______________________________________________
Phpgroupware-tracker mailing list
[email protected]
http://lists.gnu.org/mailman/listinfo/phpgroupware-tracker
