[exim-dev] [Bug 3063] "SMTP Smuggling" attack

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Exim Bugzilla
Datum:  
To: exim-dev
Alte Treads: [exim-dev] [Bug 3063] New: Partially vulnerable to "SMTP Smuggling" if pipelining is enabled
Betreff: [exim-dev] [Bug 3063] "SMTP Smuggling" attack
https://bugs.exim.org/show_bug.cgi?id=3063

--- Comment #14 from Viktor Dukhovni <viktor1dane@???> ---
(In reply to Simon Arlott from comment #13)
>
> Jeremy, you've still not explained why Exim is now changing message content
> like this. Postfix and Sendmail don't do it.


Well, Postfix does in fact change message content when, for example, folding
overly long headers or body lines, in order to ensure RFC-compliant SMTP
output.
In this case a line-break + space is inserted, and even without attempting to
find a semantically appropriate context, garbage-in, garbage-out.

So it wouldn't be entirely unprecedented to replace non-conformant input with a
plausible best-effort approximation.

That said, Postfix stores message content lines as "records", they have neither
"LF" nor "CRLF" endings, they're either "Normal" records (complete lines to be
<CRLF> terminated on output) or "Continued" records (line fragments, to which
the next record is appended on output).

As a result, while both <LF> and <CRLF> were accepted as line endings on input
(leading to a "Normal" queue file record), the output is <CRLF> terminated
either way. So it would perhaps be more natural to canonicalise <LF>.<LF> to
<CRLF>.<CRLF> (but without treating it as end-of-message!). The result would
then be subject to dot-stuffing (SMTP transparency) on output.

One might accept <LF>.<LF> as message end only from clients whose "EHLO" and
all subsequent SMTP commands up to and including "DATA" are <LF> terminated.
This allows some legacy unix-native SMTP clients to continue to work, while
requiring RFC-conformant line-endings from all others.

--
You are receiving this mail because:
You are on the CC list for the bug.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-dev-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/