--
On Thu, Jul 04, 2002 at 05:46:11PM -0400, Dave C. wrote:
| On Thu, 4 Jul 2002, Derrick 'dman' Hudson wrote:
| > --
| > On Thu, Jul 04, 2002 at 02:20:06PM +0100, Philip Hazel wrote:
| > | On 4 Jul 2002, Nigel Metheringham wrote:
| > |
| > | > > 12:52:38 SMTP protocol violation: synchronization error (next
| > | > > input sent too soon): rejected "DATA" H= ...
| > | >
| > | > Its part of ESMTP pipelining.
| > |
| > | This can happen without pipelining. SMTP is a "lockstep" protocol - the
| > | client MUST wait for the server response at certain points. Exim 4
| > | enforces this, to stop spammers who just send out the whole thing in one
| > | packet and then go away.
| >
| > It also helps protect against the HTTP form submission vulnerability,
| > but I think the 5-bad-commands-and-you're-out check will handle that
| > first.
|
| Which vulnerability are you talking about and how does exims
| synchronization prevent it?
http://www.remote.org/jochen/sec/hfpa/index.html
To summarize, someone can craft a form that submits to
http://you.mail.server:25/ and includes a MIME-encoded text area with
SMTP commands in it.
According to RFC 821, a mail server must ignore all unknown/invalid
commands (in this example that would be the HTTP headers) and then it
would see the SMTP commands and end up sending an email.
Since the web browser wouldn't be operating in lockstep, exim's
synchronization would see that and abort. Even before that happens,
though, the browser will exceed the 5-bad-commands limit and the
operation will be aborted anyways.
-D
--
Thy Word is a lamp unto my feet
and a light unto my path.
Psalms 119:105
http://dman.ddts.net/~dman/
--
[ Content of type application/pgp-signature deleted ]
--