On Thu, 4 Jul 2002, Derrick 'dman' Hudson wrote:
> --
> On Thu, Jul 04, 2002 at 02:20:06PM +0100, Philip Hazel wrote:
> | On 4 Jul 2002, Nigel Metheringham wrote:
> |
> | > > 12:52:38 SMTP protocol violation: synchronization error (next
> | > > input sent too soon): rejected "DATA" H= ...
> | >
> | > Its part of ESMTP pipelining.
> |
> | This can happen without pipelining. SMTP is a "lockstep" protocol - the
> | client MUST wait for the server response at certain points. Exim 4
> | enforces this, to stop spammers who just send out the whole thing in one
> | packet and then go away.
>
> It also helps protect against the HTTP form submission vulnerability,
> but I think the 5-bad-commands-and-you're-out check will handle that
> first.
Which vulnerability are you talking about and how does exims
synchronization prevent it?
The only HTTP/form vulnerability I am aware of is that fact that a stock
version of formmail.pl can be hijacked by an attacker faking a referrer
and the form data. Stock formmail uses the '-f' interface to submit its
mail, so SMTP synchronization would have no effect, and even if formmail
used -bs, exim would have no way of detecting wether or not the HTTP
client was legitimate or not (in fact, there isnt even an easy way to do
that in formmail - the only way to block this is to modify formmail to
have an 'authorized recipients' list or pattern)
> -D
>
> --
>
> Come to me, all you who are weary and burdened, and I will give you
> rest. Take my yoke upon you and learn from me, for I am gentle and
> humble in heart, and you will find rest for your souls. For my yoke
> is easy and my burden is light.
> Matthew 11:28-30
>
> http://dman.ddts.net/~dman/
>
> --
> [ Content of type application/pgp-signature deleted ]
> --
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
>
>
