6.0.0-beta6
▾
Tasks
New Task
Search
Photos
Wiki
▾
Tickets
New Ticket
Search
dev.horde.org
Toggle Alerts Log
Help
4/10/26
H
istory
A
ttachments
C
omment
W
atch
Download
Comment on [#12282] Handling IMAP server errors can lead to DoS
*
Your Email Address
*
Spam protection
Enter the letters below:
.__ . . __ .__ .__ [__)|\/|/ `| \[__) | | |\__.|__/| \
Comment
> I've selected IMP as the category, because that's where it occurs, > and I'm not sure where it should be fixed. > The problem happens when I do some IMAP operations and the server > gives back an error, like here: > * 11 FETCH (UID 19 FLAGS (\Seen) RFC822.SIZE 2418 ENVELOPE ("Fri, 28 > Nov 2008 19:20:40 +0100" {102} > A Magyar =?iso-8859-1?Q?Di=E1ksport_Sz=F6v?= > =?iso-8859-1?Q?ets=E9g_H=EDrei_2008=2E_november_28-=E1n?= > (("Diaksporthir" NIL "diaksporthir" "mdsz.hu")) (("Diaksporthir" NIL > "diaksporthir" "mdsz.hu")) ((NIL NIL "diaksporthir" "mdsz.hu")) ((NIL > NIL "bra" "fsn.hu")) NIL NIL NIL "<20081128182040.GA20477@mdsz.hu>") > BODY[HEADER.FIELDS (IMPORTANCE LIST-POST X-PRIORITY)] {2} > > ) > * 12 FETCH (UID 20 FLAGS (\Seen Junk)) > * BYE Internal error occurred. Refer to server log for more > information. [2013-05-29 17:30:25] > > After this, the PHP process goes berserk by logging these lines (I > use syslog, so syslog also gets some heavy times): > May 29 17:31:47 wm01a HORDE: [imp] PHP ERROR: fgets() expects > parameter 1 to be resource, null given [pid 1474 on line 4203 of > "/usr/local/share/pear/Horde/Imap/Client/Socket.php"] > May 29 17:31:47 wm01a HORDE: [imp] PHP ERROR: feof() expects > parameter 1 to be resource, null given [pid 1474 on line 4190 of > "/usr/local/share/pear/Horde/Imap/Client/Socket.php"] > May 29 17:31:47 wm01a HORDE: [imp] PHP ERROR: fgets() expects > parameter 1 to be resource, null given [pid 1474 on line 4203 of > "/usr/local/share/pear/Horde/Imap/Client/Socket.php"] > > This goes in an infinite loop (until max execution time is reached), > logging into syslog as fast as it can. Repeating this some more times > on the web UI makes the whole system unusable, even denying logging > in via sshd (syslogd is so overwhelmed that it blocks it). > > I think it would be nice to prepare for IMAP errors other than > logging more than 2000 lines per second, effectively causing a DoS to > the system. :)
Attachment
Watch this ticket
N
ew Ticket
M
y Tickets
S
earch
Q
uery Builder
R
eports
Saved Queries
Open Bugs
Bugs waiting for Feedback
Open Bugs in Releases
Open Enhancements
Enhancements waiting for Feedback
Bugs with Patches
Enhancements with Patches
Release Showstoppers
Stalled Tickets
New Tickets
Horde 5 Showstoppers