Re: [imp] FW: Horde library Bug part 2

[Chuck Hagenbuch <chuck () HORDE ORG>]

Quoting Darron Froese <darron () froese org>:

> * Horde Library $from Bug part 2 + How to exploit with IMP and Sendmail *

An actual fix to this problem has been committed to the Horde 1.2 and Horde
1.3 cvs trees. Horde 1.2.2 (accompanied by IMP 2.2.2) should be released
shortly to make the fix generally available. A patch to upgrade
horde/lib/horde.lib (the file where the critical fix is applied) from the
1.2.1 version to the fixed version is available here:

http://cvs.horde.org/cvsweb.pl/lib/Attic/horde.lib.diff?cvsroot=horde&r1=1.1.2.24%3AHORDE_1_2_1&tr1=1.1&r2=text&tr2=1.1.2.29&f=u

(beware wrapped lines)

> Workaround:     The "$from" var has to be checked for "-" chars following
>                 the space character. Passing those chars unfiltered will
>                 nearly always lead to exploitable bugs or errors.
>                 As neither a mail address nor a name with a leading minus
>                 sign does make sense, here is a small patch that converts
>                 every minus at the beginning of a word into an underscore:
>
>                 http://ssl.coc-ag.de/sec/index.htm#horde02

Instead, we simply refuse to send the email if an address is specified which
contains spaces in the user@host portion of the address. We also put the
address following sendmail -f in double quotes, escaping any shell
characters inside it.

> Fix:            Best solution would be generally not to pass vars to
>                 popen(), but rather opening the pipe to Sendmail by calling
>                 popen("$default->path_to_Sendmail -t)
>                 and putting all available information into the mail header.
>                 This requires some extra checking and converting, but
>                 secures the system a lot.

Unfortunately, doing so would remove our ability to correctly set the
envelope From address of emails sent out, which would result in some users
being unable to post to mailing lists, among other things.

> Feedback:       Please send suggestions, updates, and comments to
>
>                 mailto: security () coc-ag net
>                 http://ssl.coc-ag.de/sec

As I understand it, it is considered courteous to give a project at least a
day to respond to security bugs to provide an official fix to accompany the
announcement. I realize that this was a follow-up to a previous disclosure,
but is 24 hours notice too much to ask?0

> References:     Both projects (Horde and IMP) of the horde group can be
>                 found at http://horde.org
>                 Despite those few bugs, these people there have really
>                 done a great job on free software.

Why thank you.

-chuck

--
Charles Hagenbuch, <chuck () horde org>
--
"Every new beginning comes from some other beginning's end." - Semisonic