6.0.0-beta6
▾
Tasks
New Task
Search
Photos
Wiki
▾
Tickets
New Ticket
Search
dev.horde.org
Toggle Alerts Log
Help
4/10/26
H
istory
A
ttachments
C
omment
W
atch
Download
Comment on [#5892] Linked attachment feature vulnerability
*
Your Email Address
*
Spam protection
Enter the letters below:
. ..__ __ .___..___. |\ |[__)/ ` _/ _/ | \|| \__../__../__.
Comment
>> By exploiting the jar: protocol feature of Mozilla Firefox and the > >> fact that the Imp Web Client allows things like > >> "https://mail.server/horde/imp/attachment.php?u=user&t=4827164921&f=example.jpg", it's possible to execute various XSS attacks. For >> example: > >> "jar:https://mail.server/horde/imp/attachment.php?u=user&t=4827164921&f=example.jar!/evil.htm". > > > > I'm certainly sensitive to security concerns, but there are several > reasons I don't think this is a vulnerability in IMP itself, though > IMP might be "involved" in exploiting it: > > > > - When downloading linked attachments, we send a content-disposition > of attachment. If the browser displays files directly anyway... > there's only so much we can do about that. > > > > - If I'm reading correctly, you have to prepend jar: to the URL for > this to happen. IMP will never do that, so someone would have to send > a hand-crafted email containing the malicious URL. > > > > - If the attacker is crafting their own URL anyway, isn't it a lot > simpler to put their malicious file somewhere else, and to make it > look more enticing then an email attachment? Admittedly this is a > dodge, but I think the other reasons are more valid. > > > > - A user could upload other kinds of "bad" content to an attachment > and send them out. That makes this a file delivery mechanism - we > should probably have a hook for scanning and accepting/rejecting > linked attachments - but that's no more a vulnerability than an FTP > site is. > > > > If you don't disagree, I'll turn this into an enhancement ticket to > add a hook for scanning linked attachments (probably easier to have > it handle all attachments and accept/reject on initial upload, > actually). If you do disagree, please explain, and we'll see where we > are. > > > > Thanks, > > Chuck
Attachment
Watch this ticket
N
ew Ticket
M
y Tickets
S
earch
Q
uery Builder
R
eports
Saved Queries
Open Bugs
Bugs waiting for Feedback
Open Bugs in Releases
Open Enhancements
Enhancements waiting for Feedback
Bugs with Patches
Enhancements with Patches
Release Showstoppers
Stalled Tickets
New Tickets
Horde 5 Showstoppers