james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Antoine Duprat (JIRA)" <server-...@james.apache.org>
Subject [jira] [Created] (JAMES-2144) As an attacker I can overwrite JMAP attachment ContentType
Date Tue, 12 Sep 2017 12:37:00 GMT
Antoine Duprat created JAMES-2144:
-------------------------------------

             Summary: As an attacker I can overwrite JMAP attachment ContentType
                 Key: JAMES-2144
                 URL: https://issues.apache.org/jira/browse/JAMES-2144
             Project: James Server
          Issue Type: Bug
          Components: JMAP
            Reporter: Antoine Duprat
            Assignee: Antoine Duprat


Action: As an attacker I can overwrite JMAP attachment ContentType in anyone mailbox.

Access required: 
None (sending a mail)
Exact content of the attachment whose ContentType to be replaced

Cause of the vulnerability: The content-type is not taken into account in the AttachmentId
computation. Only content is. Hence sending the same message two time with different content
type will result in a single attachment being stored, hence a content-type overwrite.

Exemple of exploit:
usera sends a PDF to various persons.
I receive it.
I send the same PDF to myself, but with Content-Type text/plain.
The Content-Type of the attachment is now changed for each persons.

Fixing it:
We will change the AttachmentId computation algorithm to take into account content-type. Different
content type will mean different attachmentId and thus no content-type overwrite.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org


Mime
View raw message