[Classpathx-javamail] Re: Bug#304712: [Fwd: Bug#304712: avaMail allows d

classpathx-javamail

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Classpathx-javamail] Re: Bug#304712: [Fwd: Bug#304712: avaMail allows d

From:	Arnaud Vandyck
Subject:	[Classpathx-javamail] Re: Bug#304712: [Fwd: Bug#304712: avaMail allows directory traversal in attachments (CAN-2005-1105)]
Date:	Mon, 18 Apr 2005 10:55:38 +0200
User-agent:	Gnus/5.1007 (Gnus v5.10.7) Emacs/21.4 (gnu/linux)

Sight ;-)

Sat, 16 Apr 2005 12:17:41 +0100, 
Chris Burdess <address@hidden> wrote: 

> Mark Wielaard wrote:
>> From: Joey Hess <address@hidden>
>> Date: April 14, 2005 22:38:42 BST
>> Resent-To: address@hidden
>> To: Debian Bug Tracking System <address@hidden>
>> Resent-Cc: Debian Java Maintainers
>> <address@hidden>
>> Subject: Bug#304712: avaMail allows directory traversal in attachments
>> (CAN-2005-1105)
>> Reply-To: Joey Hess <address@hidden>, address@hidden
>>
>>
>> Package: libgnumail-java
>> Version: 1.0
>> Severity: normal
>> Tags: security
>>
>> CAN-2005-1105 describes a vulnerability in the JavaMail API:
>>
>>   MimeBodyPart.getFileName () method in the JavaMail API doesn't
>> properly
>>   validate filename attribute in Content-Disposition header, which
>> makes it
>>   vulnerable to directory traversal attacks. Successful exploitation of
>>   this vulnerability allows writing arbitrary content in any directory
>>   accessible to the servlet running JavaMail.
>>
>>   http://marc.theaimsgroup.com/?l=bugtraq&m=111335615600839&w=2
>>
>> Multiple imeplementations of this API are vulnerable, including
>> libgnumail-java. Unless each program using libgnumail-java does its own
>> checks of the filename for directory traversal attacks, this lack of
>> sanity checking can allow overwriting of a user's files.
>>
>> I think this security hole is fairly theoretical at the moment since it
>> seems only ant in Debian uses libgnumail-java, and it seems to only use
>> it to send mail.
>
> I don't really understand the problem here. Surely the "vulnerability"
> is introduced by the code described at the given URL (the
> saveMailAttachment method), rather than in the JavaMail framework?
> JavaMail is simply reporting what's in the actual message - it's up to
> the application to take measures to protect the user's
> security. JavaMail doesn't write the attachment to a file in any way.
> -- 
> Chris Burdess
>
>
>
> _______________________________________________
> pkg-java-maintainers mailing list
> address@hidden
> http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
>

-- 
  .''`. 
 : :' :rnaud
 `. `'  
   `-    
Java Trap: http://www.gnu.org/philosophy/java-trap.html

[Prev in Thread]

Current Thread

[Next in Thread]

[Classpathx-javamail] Re: Bug#304712: [Fwd: Bug#304712: avaMail allows directory traversal in attachments (CAN-2005-1105)], Arnaud Vandyck <=

Prev by Date: [Classpathx-javamail] [Joey Hess] Bug#304712: avaMail allows directory traversal in attachments (CAN-2005-1105)
Next by Date: [Classpathx-javamail] Support of multipart/*
Previous by thread: [Classpathx-javamail] [Joey Hess] Bug#304712: avaMail allows directory traversal in attachments (CAN-2005-1105)
Next by thread: [Classpathx-javamail] Support of multipart/*
Index(es):
- Date
- Thread