[Exim] Re: Re: SMTP protocol violation: synchronization erro…

Góra strony
Delete this message
Reply to this message
Autor: Derrick 'dman' Hudson
Data:  
Dla: exim-users
Temat: [Exim] Re: Re: SMTP protocol violation: synchronization error (Exim4)
--
On Thu, Jul 04, 2002 at 05:46:11PM -0400, Dave C. wrote:
| On Thu, 4 Jul 2002, Derrick 'dman' Hudson wrote:
| > --
| > On Thu, Jul 04, 2002 at 02:20:06PM +0100, Philip Hazel wrote:
| > | On 4 Jul 2002, Nigel Metheringham wrote:
| > |
| > | > > 12:52:38 SMTP protocol violation: synchronization error (next
| > | > > input sent too soon): rejected "DATA" H= ...
| > | >
| > | > Its part of ESMTP pipelining.
| > |
| > | This can happen without pipelining. SMTP is a "lockstep" protocol - the
| > | client MUST wait for the server response at certain points. Exim 4
| > | enforces this, to stop spammers who just send out the whole thing in one
| > | packet and then go away.
| >
| > It also helps protect against the HTTP form submission vulnerability,
| > but I think the 5-bad-commands-and-you're-out check will handle that
| > first.

|
| Which vulnerability are you talking about and how does exims
| synchronization prevent it?


http://www.remote.org/jochen/sec/hfpa/index.html

To summarize, someone can craft a form that submits to
http://you.mail.server:25/ and includes a MIME-encoded text area with
SMTP commands in it.

According to RFC 821, a mail server must ignore all unknown/invalid
commands (in this example that would be the HTTP headers) and then it
would see the SMTP commands and end up sending an email.

Since the web browser wouldn't be operating in lockstep, exim's
synchronization would see that and abort. Even before that happens,
though, the browser will exceed the 5-bad-commands limit and the
operation will be aborted anyways.

-D

--

Thy Word is a lamp unto my feet
and a light unto my path.
        Psalms 119:105


http://dman.ddts.net/~dman/

--
[ Content of type application/pgp-signature deleted ]
--