26 lines
1.2 KiB
Plaintext
26 lines
1.2 KiB
Plaintext
MBOX-Line: From markrcrispin at live.com Tue Jul 8 16:07:53 2008
|
|
To: imap-protocol@u.washington.edu
|
|
From: Mark Crispin <markrcrispin@live.com>
|
|
Date: Fri Jun 8 12:34:42 2018
|
|
Subject: [Imap-protocol] avoiding IMAP as a vector for cross-site
|
|
scripting attacks
|
|
In-Reply-To: <4873DA64.8050605@psaux.com>
|
|
References: <4873DA64.8050605@psaux.com>
|
|
Message-ID: <BLU126-W38E9F2815EF00FEF8CB7ECB8970@phx.gbl>
|
|
|
|
|
|
UW imapd can be used to exploit this attack.
|
|
|
|
I believe that I have fixed the issue in Panda imapd. Panda imapd now syntax checks tags, and closes the connection after any invalid command when not logged in. Invalid commands don't echo the bogus command back when not logged in either. Thanks for reporting it.
|
|
|
|
-- Mark --
|
|
|
|
> When I tried this exploit against a Cyrus server, it didn't work, at
|
|
> least in part because () are not allowed, but the Cyrus the server was
|
|
> still forced to process about 15 invalid commands. I didn't check the
|
|
> UW server because I didn't have one handy.
|
|
|
|
_________________________________________________________________
|
|
The i?m Talkaton. Can 30-days of conversation change the world?
|
|
http://www.imtalkathon.com/?source=EML_WLH_Talkathon_ChangeWorld
|