[exim-dev] [Bug 3063] "SMTP Smuggling" attack

Góra strony
Delete this message
Reply to this message
Autor: Exim Bugzilla
Data:  
Dla: exim-dev
Stare tematy: [exim-dev] [Bug 3063] New: Partially vulnerable to "SMTP Smuggling" if pipelining is enabled
Temat: [exim-dev] [Bug 3063] "SMTP Smuggling" attack
https://bugs.exim.org/show_bug.cgi?id=3063

--- Comment #14 from Viktor Dukhovni <viktor1dane@???> ---
(In reply to Simon Arlott from comment #13)
>
> Jeremy, you've still not explained why Exim is now changing message content
> like this. Postfix and Sendmail don't do it.


Well, Postfix does in fact change message content when, for example, folding
overly long headers or body lines, in order to ensure RFC-compliant SMTP
output.
In this case a line-break + space is inserted, and even without attempting to
find a semantically appropriate context, garbage-in, garbage-out.

So it wouldn't be entirely unprecedented to replace non-conformant input with a
plausible best-effort approximation.

That said, Postfix stores message content lines as "records", they have neither
"LF" nor "CRLF" endings, they're either "Normal" records (complete lines to be
<CRLF> terminated on output) or "Continued" records (line fragments, to which
the next record is appended on output).

As a result, while both <LF> and <CRLF> were accepted as line endings on input
(leading to a "Normal" queue file record), the output is <CRLF> terminated
either way. So it would perhaps be more natural to canonicalise <LF>.<LF> to
<CRLF>.<CRLF> (but without treating it as end-of-message!). The result would
then be subject to dot-stuffing (SMTP transparency) on output.

One might accept <LF>.<LF> as message end only from clients whose "EHLO" and
all subsequent SMTP commands up to and including "DATA" are <LF> terminated.
This allows some legacy unix-native SMTP clients to continue to work, while
requiring RFC-conformant line-endings from all others.

--
You are receiving this mail because:
You are on the CC list for the bug.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-dev-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/