21 Aug 03:29
Image extension issue in mime.php
From: Paul Lesniewski <paul <at> squirrelmail.org>
Subject: Image extension issue in mime.php
Newsgroups: gmane.mail.squirrelmail.devel
Date: 2008-08-21 01:30:26 GMT
Subject: Image extension issue in mime.php
Newsgroups: gmane.mail.squirrelmail.devel
Date: 2008-08-21 01:30:26 GMT
All, I was looking at an HTML email today that had an image URI that was an .asp file. SM blocked it, even when I clicked to view unsafe images.... and that's because of the .asp file extension. SM replaces all images in HTML view with a blank image unless they are simple image files with .jpg, .gif, .jpeg, .xjpeg, .jpe, .bmp, .png, or .xbm extensions. In today's world, I think there are probably a lot of images being served dynamically, with URIs that have PHP, JSP, ASP or some other file extension. So, in a lot of cases, these should be allowed and are not necessarily threatening or ill-intentioned. Can someone explain the rationale of keeping the list more restricted? What can a malicious image URI do if we open the list up to such file extensions? Really, if an attacker wanted to do something here, they could easily circumvent this restriction by putting a URI with a "valid" (say .png) extension that was really a php file that is dynamically executed on the target server. So what does SM *GAIN* by keeping this list of known image extensions? (What we *LOSE* is proper display of many valid HTML mails for our users.) My feeling is that this should be addressed by either removing the restriction list completely, adding .asp, .php, .jsp, and any other common types, or putting a new configuration value in the config file for admins who would like to do this themselves. Thoughts please? - Paul ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ ----- squirrelmail-devel mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-devel <at> lists.sourceforge.net List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel
RSS Feed