Closed
Bug 403242
Opened 17 years ago
Closed 13 years ago
Executes arbitrary commands on NNTP server after receiving a badly formatted article
Categories
(MailNews Core :: Networking: NNTP, defect)
MailNews Core
Networking: NNTP
Tracking
(blocking-thunderbird3.1 -)
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
blocking-thunderbird3.1 | --- | - |
People
(Reporter: memfis, Unassigned)
References
Details
(Whiteboard: [sg:moderate])
Attachments
(1 file)
1.06 KB,
text/plain
|
Details |
User-Agent: Opera/9.23 (Windows NT 6.0; U; en) Build Identifier: 2.0.0.6 (20070728) While writing an NNTP server as part of my CS studies I came across what I think is a bug in Thunderbird's handling of downloaded articles. There is probably something untypical or maybe even contradictory to the NNTP RFC that I am doing in my server that causes the behaviour, but nevertheless I don't think that Thunderbird should ever execute parts of an article on the remote server as commands, even if the article is corrupted. Reproducible: Always Steps to Reproduce: Act as an NNTP server and reproduce a session like the one attached. Actual Results: Thunderbird first issues a GROUP <Message-ID> command (absolutely no sense in doing that) and then a command equal to mix of Content-Type and Content-Disposition MIME part headers (possibly dangerous and exploitable). Expected Results: The article should be parsed correctly or marked as corrupted if it is not conforming to the NNTP RFC. This is an excerpt from an example of an errornous session: GROUP 89550684-f0df-4e9a-aea6-07645e238dd2 411 No such newsgroup plain&filename=Test.txt 500 Unknown command QUIT 205 Connection closing Please see the attachment for the complete session transcipt.
Reporter | ||
Comment 1•17 years ago
|
||
Reporter | ||
Updated•17 years ago
|
Version: unspecified → 2.0
Updated•17 years ago
|
Assignee: dveditz → bienvenu
Whiteboard: [sg:investigate]
Comment 2•16 years ago
|
||
Ah, OK, I see what's going on now. It look's like this is what's happening: 1. We try to get the message with message id <invalid message id> 2. The parser thinks it's a group from the message id 3. Somehow, the latter part is getting leaked. Marcin, can you post an NNTP log from Thunderbird? I have a theory as to what's going on, I just need to confirm it.
Assignee: bienvenu → nobody
Status: UNCONFIRMED → NEW
Component: Security → Networking: News
Ever confirmed: true
OS: Windows Vista → All
Product: Thunderbird → Core
QA Contact: thunderbird → networking.news
Hardware: PC → All
Version: 2.0 → unspecified
Assignee | ||
Updated•16 years ago
|
Product: Core → MailNews Core
Updated•14 years ago
|
blocking-thunderbird3.1: --- → ?
Whiteboard: [sg:investigate] → [sg:moderate]
Comment 3•14 years ago
|
||
I'd love to see this bug in 3.1, but unless we have reason to believe it's being actively exploited, I don't think we'd hold for it. Marcin, if you could post the log that Joshua requested, that would enhance the chances of this bug making the release.
blocking-thunderbird3.1: ? → -
Flags: wanted-thunderbird+
Comment 4•14 years ago
|
||
For what it's worth, this will be fixed by bug 226890, part 4 I think.
Depends on: 226890
Comment 5•13 years ago
|
||
The patch that fixed this was checked in some time ago; I don't know why I forgot to resolve this as fixed.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•