https://bugs.kde.org/show_bug.cgi?id=432353
Bug ID: 432353
Summary: Untagged responses are processed before STARTTLS.
Product: trojita
Version: 0.7
Platform: Other
OS: Linux
Status: REPORTED
Severity: critical
Priority: NOR
Component: IMAP
Assignee: trojita-b...@kde.org
Reporter: 93s4m32gd2ab8...@mailbox.org
Target Milestone: ---
Trojita accepts LIST, LSUB, STATUS, ... untagges responses before STARTTLS and
incorporates them into local state.
I am not sure if this is already kind of a misbehavior even without STARTTLS,
because the IMAP RFC does not really prohibit that. However, a meddler in the
middle can use this to tamper with the state of Trojita.
This *could* also be escalated to a more severe issue. E.g. when an attacker
injects a folder name with "\r\n<tag> <command>", it could trick Trojita to
execute attacker-controlled commands on the IMAP server after login.
The only thing preventing this is sanitization of folder names, but I am not
sure if we should count on that...
--
You are receiving this mail because:
You are watching all bug changes.
