Re: [hypermail] Hypermail security < test <here> > from Franklin DeMatto on 2001-11-13 (Hypermail Development List)

From: Franklin DeMatto <franklin.lists_at_qdefense.com_at_hypermail-project.org>
Date: Tue, 13 Nov 2001 10:56:00 -0500
Message-Id: <4.2.2.20011113103749.0208cfd8_at_compumodel.com>

> >> and creation of local files with evil names (such as unwanted extensions)
> >> or properties (such as double dots in paths or x-bit on) come to mind.
> >
> >Hm, yes. This might be possible. I can't recall off the top of my head how
> >hypermail treats all file names passed to it in attachments etc.
>
> Attachment file names are filtered through the safe_filename routine,
>which insures that only characters passing this test are allowed in those
>names:
> if ((*np >= 'a' && *np <= 'z') || (*np >= '0' && *np <= '9') ||
> (*np >= 'A' && *np <= 'Z') || (*np == '-') || (*np == '.') ||
> (*np == ':') || (*np == '_')) {
> So a filename with ".." in the middle is possible, but since it doesn't
>appear that a / or \ can be put near the dots, I haven't been able to find
>a way to exploit this.

It seems like an attacker has full control over the filename, provided that he limits himself to those characters. Nothing is to stop an attacker from creating a .shtml attachment, and putting exec or include commands in it. This is a major insecurity, in my opinion. Obviously, the server should be configured to not allow SSI in the hypermail directory, but hypermail should not rely on that.

Attackers could also use attachments to bypass the routines to clean tags from HTML, and succeed in putting evil scripts and the like on the server.

I would suggest that the "." character be removed from the list of acceptable characters, and possibly having hypermail append a standard extension. This would prevent an attacker from sending .shtml and the like, and would eliminate the possibility of a successful double dot exploit.

As for the cross site scripting, I see no solution other then an option to disallow all attachments and MIME types other than text/plain. I did not see this option in the docs - I'll work on adding a patch. If someone could point out to me where the checks are made, it would save me some time :-).

In terms of converting all < and > into < and >, could you point out where it is done? I would like to double check that no spots are missed - all parts of the message, including body, messageid, subject, etc. need to be checked.

> I believe that all files created by hypermail are chmod'ed to 0644 by
>default. Altering this would require something like write access to ~/.hmrc.
Can anyone else verify that there is no way to get hypermail to write files with a different mode?

Franklin DeMatto
Senior Analyst, qDefense Penetration Testing http://qDefense.com
qDefense: Making Security Accessible Received on Wed 14 Nov 2001 04:41:50 PM GMT

This archive was generated by hypermail 2.3.0 : Sat 13 Mar 2010 03:46:12 AM GMT GMT