|
|
Subscribe / Log in / New account

Security

Some mailer difficulties

Thunderbird users generally take some comfort from the fact that their mail client can be configured to refuse to load external images which might be called for in HTML mail. The loading of such images is, at a minimum, a privacy problem - it lets somebody know that a given message has been read. Remote images can be used to note the times that messages are read, or to judge the effectiveness of spam delivery. So turning off this "feature" makes a lot of sense.

Unfortunately, it turns out that Thunderbird 1.5 does not block all external loads, even when image loading is turned off. In particular, it seems that <iframe> tags can be used to force remote loads to happen. Thunderbird can also be made to request style sheets from remote sites. Either of those operations will, once again, disclose that the message was read, along with the usual ancillary information such as the user's IP address.

It has been pointed out that at least one company is exploiting this Thunderbird "feature" already. The message describing the exploit also has a temporary workaround for those who don't want to wait for an official fix; it works by setting restrictive limits on the allowed HTML tags - which seems like a good idea in any case.

Alan Cox, meanwhile, has found a problem with evolution. If it receives a sufficiently large message with enough links in it, it will grow to vast size and think for a long time. On a large enough system, with enough time, it will succeed in rendering the message; on smaller systems, it will run out of memory and crash. And, if that weren't enough:

Worse, and the reason this becomes more than irritating is that evolution tries to be smart when it is killed or dies. On restarting it will go to great trouble to attempt to restart in the same position it died or was shut down - which triggers the DoS again each time evolution is opened.

Alan reported the problem in January, and has been dismayed to see that no fixes or advisories have been issued so far. So he has disclosed the vulnerability, presumably with the idea of inspiring some effort to get it fixed. We'll see if it works.

Comments (2 posted)

New vulnerabilities

postgresql: improper validation with Asserts enabled

Package(s):postgresql CVE #(s):CVE-2006-0678
Created:February 27, 2006 Updated:February 28, 2006
Description: PostgreSQL 7.3.x before 7.3.14, 7.4.x before 7.4.12, 8.0.x before 8.0.7, and 8.1.x before 8.1.3, when compiled with Asserts enabled, allows local users to cause a denial of service (server crash) via a crafted SET SESSION AUTHORIZATION command, a different vulnerability than CVE-2006-0553.
Alerts:
Ubuntu USN-258-1 postgresql-7.4, postgresql-8.0, postgresql 2006-02-27

Comments (none posted)

squirrelmail: multiple vulnerabilities

Package(s):squirrelmail CVE #(s):CVE-2006-0188 CVE-2006-0195 CVE-2006-0377
Created:February 28, 2006 Updated:June 8, 2006
Description: Webmail.php in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to inject arbitrary web pages into the right frame via a URL in the right_frame parameter. NOTE: this has been called a cross-site scripting (XSS) issue, but it is different than what is normally identified as XSS. (CVE-2006-0188)

Interpretation conflict in the MagicHTML filter in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via style sheet specifiers with invalid (1) "/*" and "*/" comments, or (2) a newline in a "url" specifier, which is processed by certain web browsers including Internet Explorer. (CVE-2006-0195)

CRLF injection vulnerability in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to inject arbitrary IMAP commands via newline characters in the mailbox parameter of the sqimap_mailbox_select command, aka "IMAP injection." (CVE-2006-0377)

Alerts:
Fedora-Legacy FLSA:190884 squirrelmail 2006-06-06
Red Hat RHSA-2006:0283-01 squirrelmail 2006-05-03
Gentoo 200603-09 squirrelmail 2006-03-12
Debian DSA-988-1 squirrelmail 2006-03-08
Fedora FEDORA-2006-133 squirrelmail 2006-03-03
Mandriva MDKSA-2006:049 squirrelmail 2006-02-27

Comments (none posted)

xpdf: potential vulnerabilities

Package(s):xpdf gpdf CVE #(s):CVE-2006-1244
Created:February 27, 2006 Updated:April 13, 2006
Description: Derek Noonburg has fixed several potential vulnerabilities in xpdf, which are also present in gpdf, the Portable Document Format (PDF) viewer with Gtk bindings.
Alerts:
Ubuntu USN-270-1 kdegraphics, koffice, xpdf, cupsys, poppler, tetex-bin 2006-04-13
Debian DSA-1019-1 koffice 2006-03-24
Debian DSA-998-1 libextractor 2006-03-14
Debian DSA-984-1 xpdf 2006-03-02
Debian DSA-983-1 pdftohtml 2006-02-28
Debian DSA-982-1 gpdf 2006-02-27

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>


Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds