POP Security Review Action Items



16 years ago
3 years ago


(Reporter: hjtoi-bugzilla, Unassigned)


(Blocks: 1 bug, {sec-audit})


Firefox Tracking Flags

(Not tracked)


(Whiteboard: [sg:audit])

Make sure return receipt requests are not sent along with forwarded messages

Can POP be configured for "highest available security" (SSL when possible)?

We should extend the internal/external URL enforcement to all Mozilla-internal
protocols (mailbox, newsmessage, mailmessage, etc.) and possibly pop.

pop and pop3 should both be "denyProtocol" in CheckLoadURI

Make it so we never send out pop, imap, mailbox, or file URLs as links or
attachment names, including drag-and-dropped attachments. More generally, we
shouldn't be revealing any unnecessary information in mail headers.

Should we block attachments, or warn the user, on a mailto:?

What happens when you use various mail schemes as a form action URL?

Are we checking for .. in mailbox URL paths, and in other paths where necessary?

We should filter control chars (returns) out of username, password, folder
names, and other opaque strings passed in the POP protocol and other protocols.

Look at what can be done with a malicious pop/imap/news server. Will reporting
too many messages cause a crash? Any buffer overruns? We should hack a pop
server to deliver unexpected content/large values.

We should have a "sensitive buffer" class for storing passwords and other
sensitive data in memory, that zeros itself out before freeing, and that won't
be swapped to disk. There's probably an existing implementation of this - we
should find it.

Look at DOM issues for when JS is enabled in the message pane. What
manipulations of the message DOM will cause problems?
Whiteboard: [sg:investigation]
Product: MailNews → Core


10 years ago
Product: Core → MailNews Core
bienvenu: is there anything useful left in this bug or can we resolve it and/or unhide it as a security bug?
Assignee: naving → dbienvenu
Whiteboard: [sg:investigation] → [sg:audit]

Comment 2

7 years ago
(In reply to Daniel Veditz [:dveditz] from comment #1)
> bienvenu: is there anything useful left in this bug or can we resolve it
> and/or unhide it as a security bug?

I think we can unhide it. Pop3 urls have URI_DANGEROUS_TO_LOAD set. We default to SSL/TLS if possible. JS is not longer enabled in the message pane. There may be some useful things to investigate in the bug, but hiding it isn't going to help them get investigated.


7 years ago
Group: core-security
Keywords: sec-audit


7 years ago
Assignee: dbienvenu → nobody
You need to log in before you can comment on or make changes to this bug.