Re: [PHP] Any known security issues with IMAP?
On 10/4/07, Chris [EMAIL PROTECTED] wrote: Don O'Neil wrote: I'm not sure how opening an email inbox can hijack pages but maybe someone more creative than I can show me.. I don't know about the IMAP/POP3 itself, but if you are displaying the messages in a web browser for something like building your own web-mail client, the messages themselves would make YOUR pages just as vulnerable to all kinds of cross-site scripting (XSS) attacks and the like as they would be by accepting input from a web form. (I think someone recently posted this link in another thread: http://phpsec.org/projects/guide/ ) So yes, if you don't use diligence to filter that stuff out before you send it to the browser, someone could study your mail interface well enough to do anything they want by impersonating the user viewing the messages -- just for starters. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Any known security issues with IMAP?
Andrew Ballard wrote: On 10/4/07, Chris [EMAIL PROTECTED] wrote: Don O'Neil wrote: I'm not sure how opening an email inbox can hijack pages but maybe someone more creative than I can show me.. I don't know about the IMAP/POP3 itself, but if you are displaying the messages in a web browser for something like building your own web-mail client, the messages themselves would make YOUR pages just as vulnerable to all kinds of cross-site scripting (XSS) attacks and the like as they would be by accepting input from a web form. (I think someone recently posted this link in another thread: http://phpsec.org/projects/guide/ ) So yes, if you don't use diligence to filter that stuff out before you send it to the browser, someone could study your mail interface well enough to do anything they want by impersonating the user viewing the messages -- just for starters. Good point - I should have been more explicit. I was thinking more about processing messages and doing something with the content rather than displaying them in any way. -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Any known security issues with IMAP?
Don O'Neil wrote: Are there any known security issues/concerns with compiling PHP with imap/pop3 support? Such as hijacking php pages and relaying spam, etc...? [ was posting this again a mistake or just impatience? ] I'm not sure how opening an email inbox can hijack pages but maybe someone more creative than I can show me.. None that I'm personally aware of but if you really want to check it out look at bugs.php.net and do some searching. -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
