From: Joey Hess <[EMAIL PROTECTED]>
Date: April 14, 2005 22:38:42 BST
Resent-To: debian-bugs-dist@lists.debian.org
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Resent-Cc: Debian Java Maintainers <[EMAIL PROTECTED]>
Subject: Bug#304712: avaMail allows directory traversal in attachments (CAN-2005-1105)
Reply-To: Joey Hess <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Package: libgnumail-java Version: 1.0 Severity: normal Tags: security
CAN-2005-1105 describes a vulnerability in the JavaMail API:
MimeBodyPart.getFileName () method in the JavaMail API doesn't properly
validate filename attribute in Content-Disposition header, which makes it
vulnerable to directory traversal attacks. Successful exploitation of
this vulnerability allows writing arbitrary content in any directory
accessible to the servlet running JavaMail.
http://marc.theaimsgroup.com/?l=bugtraq&m=111335615600839&w=2
Multiple imeplementations of this API are vulnerable, including libgnumail-java. Unless each program using libgnumail-java does its own checks of the filename for directory traversal attacks, this lack of sanity checking can allow overwriting of a user's files.
I think this security hole is fairly theoretical at the moment since it seems only ant in Debian uses libgnumail-java, and it seems to only use it to send mail.
I don't really understand the problem here. Surely the "vulnerability" is introduced by the code described at the given URL (the saveMailAttachment method), rather than in the JavaMail framework? JavaMail is simply reporting what's in the actual message - it's up to the application to take measures to protect the user's security. JavaMail doesn't write the attachment to a file in any way.
--
Chris Burdess
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
