On Fri, 5 Jul 2002, Derrick 'dman' Hudson wrote:
> --
> On Thu, Jul 04, 2002 at 05:46:11PM -0400, Dave C. wrote:
> | On Thu, 4 Jul 2002, Derrick 'dman' Hudson wrote:
> | > --
> | > On Thu, Jul 04, 2002 at 02:20:06PM +0100, Philip Hazel wrote:
> | > | On 4 Jul 2002, Nigel Metheringham wrote:
> | > |
> | > | > > 12:52:38 SMTP protocol violation: synchronization error (next
> | > | > > input sent too soon): rejected "DATA" H= ...
> | > | >
> | > | > Its part of ESMTP pipelining.
> | > |
> | > | This can happen without pipelining. SMTP is a "lockstep" protocol - the
> | > | client MUST wait for the server response at certain points. Exim 4
> | > | enforces this, to stop spammers who just send out the whole thing in one
> | > | packet and then go away.
> | >
> | > It also helps protect against the HTTP form submission vulnerability,
> | > but I think the 5-bad-commands-and-you're-out check will handle that
> | > first.
> |
> | Which vulnerability are you talking about and how does exims
> | synchronization prevent it?
>
> http://www.remote.org/jochen/sec/hfpa/index.html
>
> To summarize, someone can craft a form that submits to
> http://you.mail.server:25/ and includes a MIME-encoded text area with
> SMTP commands in it.
>
> According to RFC 821, a mail server must ignore all unknown/invalid
> commands (in this example that would be the HTTP headers) and then it
> would see the SMTP commands and end up sending an email.
Uhm. exactly what does this accomplish? If the remote IP is otherwise
permitted to send mail to you, why bother sending it this way? If they
are trying to relay thru you they wont be permitted anyway..
Ok, just read the article, this isnt an SMTP daemon vulnerability, its a
browser vulnerability, and a fairly obscure one at that.
> Since the web browser wouldn't be operating in lockstep, exim's
> synchronization would see that and abort. Even before that happens,
> though, the browser will exceed the 5-bad-commands limit and the
> operation will be aborted anyways.
>
> -D
>
> --
>
> Thy Word is a lamp unto my feet
> and a light unto my path.
> Psalms 119:105
>
> http://dman.ddts.net/~dman/
>
> --
> [ Content of type application/pgp-signature deleted ]
> --
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
>
>