#2846: Security vulnerability in APOP authentication
Comment (by Rocco Rutte):
{{{
Hi,
* Brendan Cully [07-04-02 15:31:14 -0700] wrote:
>On Sunday, 18 March 2007 at 17:36, Rocco Rutte wrote:
>> I was looking at some mutt code for this issue and other issues that
>> report broken threading upon invalid message-ids. It seems that mutt
>> happily accepts the following syntax: '<.*>' which is just plain
wrong.
>> I looked at rfc822.c to try to reuse address parsing for parsing
>> message-ids but failed since I didn't have much time and the quote is
>> quite complex.
>> Even though adopting your code for mutt would be quite easy, I'm not
>> yet sure what to do in case of validation errors.
>> Say we get '<foobar>' during APOP authentication; should be really
>> reject that and report failed authentication? If a message has
>> '<foobar>' as message-id and others have it in their References:
>> header, should we really ignore it and break threading?
>Here's a patch that does a really minimal check that the message ID is
>of the form <[EMAIL PROTECTED]> where x and y are between ASCII 0 and 127. I
>hope
>that it's enough to thwart the MD5 collision attack, but liberal
>enough to tolerate the range of broken POP servers out there. The @y
>test could be easily removed if necessary.
>Comments?
Adding a new method is one way, I hoped to find some way to reuse the
address parser. But as that's quote complex, I think it's okay for now.
The only thing I saw was that checking for 'l>127' is probably not
enough as you also want to check for 'l<32'.
bye, Rocco
}}}
--
Ticket URL: <http://www.mutt.org/ticket/2846#comment:>
