<<< Date Index >>>     <<< Thread Index >>>

Security hole? (was: 1.5.12 release date?)



On 2006-03-02 10:40:54 -0500, Derek Martin wrote:
> Or perhaps a stable release... 1.6 maybe?

First, it seems that bug 2173 I reported several weeks ago is
a security hole, as it allows some form of header spoofing.
The user must be vigilant about this problem.

Try on the attached mailbox... Look at the headers displayed
in the pager and when replying with $edit_headers set.

This bug should be fixed before a stable release.

-- 
Vincent Lefèvre <vincent@xxxxxxxxxx> - Web: <http://www.vinc17.org/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.org/blog/>
Work: CR INRIA - computer arithmetic / SPACES project at LORIA
>From a@xxxxxxxxx Thu Mar  2 15:15:36 2006
From: a@xxxxxxxxx
To: a@xxxxxxxxx
Subject: =?UTF-8?Q?Test_for_Mutt_bug_2173=0D=0ACc:_c@xxxxxxxxx?=
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Test for Mutt bug 2173:

  
http://bugs.mutt.org/cgi-bin/gnatsweb.pl?debug=&database=mutt&cmd=view+audit-trail&cmd=view&pr=2173

Possible header spoofing in pager display and in replies with $edit_headers.