<<< Date Index >>>     <<< Thread Index >>>

RFC2368 security considerations



Hello,

  I found a very minor security problem in mutt.

  I told TLR this issue, and he didn't think this was a serious
vulnerability. I also don't. So I am telling you this publicly.


Summary:

  Mutt accepts BCC, FROM, SENDER, or any other dangerous headers
via mailto URL with no warnings, and the default value of
$edit_headers is 0.


Background:

  Mutt supports mailto URL scheme, which is described in RFC2368.
        http://www.ietf.org/rfc/rfc2368.txt
        http://www.faqs.org/rfcs/rfc2368.html
  This RFC has warnings about security issues. Please read the 7th
section, "security considerations."


Examples and ideas:

 0) Users usually don't look at their From field on the compose
   menu before sending mail. Mutt doesn't warn them even if the
   field is altered by mailto URL. IMHO, Mutt should at least give
   them a warning message.

 1) What about Sender field? This is not shown in the compose menu.
   And Resent-To/Resent-Cc/Resent-Bcc headers? You don't want these
   headers included in your messages stealthily. Moreover, the RFC
   says any headers are dangerous as well as headers related to
   routing. Imagine your mail containing this header:
     X-Spam-Message: Buy this pill/fakewatch at http://...
   Such a message could cause a damage to your social position.

   For example, 
     mailto:goodone?subject=longsubject...&sender=evil&body=verylongbody...
   is very likely to be overlooked, and Mutt does not show the
   header field even once (unless $edit_headers is set).

 2) Mutt sends a message "To: eve" if this mailto URL is given:
     mailto:goodone?apparently-to=eve
   Yes, this is shown on the compose menu. But a user might check
   the URL before passing it to mutt, and say to himself "This
   is to goodone" and just ignore mutt's prompt. Sure this is not
   mutt's fault, but again, mutt should display a caution, other-
   wise should ignore all the unsafe headers.


Patch and its bug:

  Attached. But I'm afraid this patch has two vulnerabilities
unsolved.

 0) mutt_edit_headers() doesn't show REFERENCES header.
 1) mutt_edit_headers() doesn't show empty headers, too.

  I haven't confirmed these problems.
  I think my patch is better than nothing. But use it at your
own risk.


Regards,
-- 
tamo
diff -pu ../mutt/mutt.h ./mutt.h
--- ../mutt/mutt.h      Wed Mar 23 19:51:11 2005
+++ ./mutt.h    Fri May 27 17:29:31 2005
@@ -505,6 +505,7 @@ enum
   OPTPGPCHECKTRUST,    /* (pseudo) used by pgp_select_key () */
   OPTDONTHANDLEPGPKEYS,        /* (pseudo) used to extract PGP keys */
   OPTUNBUFFEREDINPUT,   /* (pseudo) don't use key buffer */
+  OPTCONFIRMHEADERS,   /* (pseudo) check dangerous headers */
 
   OPTMAX
 };
diff -pu ../mutt/send.c ./send.c
--- ../mutt/send.c      Fri Feb  4 02:01:44 2005
+++ ./send.c    Fri May 27 18:00:13 2005
@@ -1373,8 +1373,14 @@ ci_send_message (int flags,              /* send mod
        mutt_edit_attachment (msg->content);
       else if (!Editor || mutt_strcmp ("builtin", Editor) == 0)
        mutt_builtin_editor (msg->content->filename, msg, cur);
-      else if (option (OPTEDITHDRS))
+      else if (option (OPTEDITHDRS) || option (OPTCONFIRMHEADERS))
       {
+       if (option (OPTCONFIRMHEADERS)) /* only once */
+       {
+         mutt_message (_("Check all the headers! Some of them may be 
dangerous."));
+         mutt_sleep (1);
+       }
+       unset_option (OPTCONFIRMHEADERS);
        mutt_env_to_local (msg->env);
        mutt_edit_headers (Editor, msg->content->filename, msg, fcc, sizeof 
(fcc));
        mutt_env_to_idna (msg->env, NULL, NULL);
diff -pu ../mutt/url.c ./url.c
--- ../mutt/url.c       Fri Feb  4 02:01:44 2005
+++ ./url.c     Fri May 27 18:02:11 2005
@@ -249,6 +249,22 @@ int url_parse_mailto (ENVELOPE *e, char 
     }
     else 
     {
+      if (ascii_strcasecmp (tag, "subject"))
+      {
+       /* RFC2368
+        * 
+        * 4. Unsafe headers:
+        *   Only the Subject, Keywords, and Body headers are
+        *   believed to be both safe and useful.
+        * 7. Security Considerations:
+        *   A mail client should never send anything without
+        *   complete disclosure to the user of what is will
+        *   be sent.
+        */
+       mutt_error (_("Warning: This mailto URL contains a dangerous header!"));
+       mutt_sleep (0);
+       set_option (OPTCONFIRMHEADERS);
+      }
       taglen = strlen (tag);
       /* mutt_parse_rfc822_line makes some assumptions */
       snprintf (scratch, sizeof (scratch), "%s: %s", tag, value);