[exim-dev] [Bug 3063] "SMTP Smuggling" attack

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Exim Bugzilla
Ημερομηνία:  
Προς: exim-dev
Παλιά Θέματα: [exim-dev] [Bug 3063] New: Partially vulnerable to "SMTP Smuggling" if pipelining is enabled
Αντικείμενο: [exim-dev] [Bug 3063] "SMTP Smuggling" attack
https://bugs.exim.org/show_bug.cgi?id=3063

Simon Arlott <bugzilla.exim.simon@???> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|FIXED                       |---
             Status|RESOLVED                    |REOPENED


--- Comment #7 from Simon Arlott <bugzilla.exim.simon@???> ---
> Dec 2023: getting a site to send a body including an "LF . LF" sequence
> followed by SMTP commands is a possible "smtp smuggling" attack. If
> the first (header) line for the message has a proper CRLF then enforce
> that for the body: convert bare LF to a space.


This still doesn't comply with RFC5321 because it allows <LF>.<LF> to end the
message if the first header line ends with <LF>.

I expect that converting <LF> to a space is going to lead to further security
or interoperability problems because it will mean Exim will merge two lines in
a <CRLF>-based message if there's an <LF> in the middle of them, potentially
changing the meaning of the message by merging two or more header lines
together or merging the body with the headers.

Can't it just accept the message as-is, using dot duplication if the entire
line is "."?

--
You are receiving this mail because:
You are on the CC list for the bug.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-dev-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/