You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by "Antoine Duprat (JIRA)" <se...@james.apache.org> on 2017/09/12 12:37:00 UTC
[jira] [Created] (JAMES-2144) As an attacker I can overwrite JMAP
attachment ContentType
Antoine Duprat created JAMES-2144:
-------------------------------------
Summary: As an attacker I can overwrite JMAP attachment ContentType
Key: JAMES-2144
URL: https://issues.apache.org/jira/browse/JAMES-2144
Project: James Server
Issue Type: Bug
Components: JMAP
Reporter: Antoine Duprat
Assignee: Antoine Duprat
Action: As an attacker I can overwrite JMAP attachment ContentType in anyone mailbox.
Access required:
None (sending a mail)
Exact content of the attachment whose ContentType to be replaced
Cause of the vulnerability: The content-type is not taken into account in the AttachmentId computation. Only content is. Hence sending the same message two time with different content type will result in a single attachment being stored, hence a content-type overwrite.
Exemple of exploit:
usera sends a PDF to various persons.
I receive it.
I send the same PDF to myself, but with Content-Type text/plain.
The Content-Type of the attachment is now changed for each persons.
Fixing it:
We will change the AttachmentId computation algorithm to take into account content-type. Different content type will mean different attachmentId and thus no content-type overwrite.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org