squirl mail small question on dos risk

[cssfreakie]

Hi guys,

 

I was just reading on the page of squirlmail in some update the following which made me think (uhmm okay how does that work)

The second, CVE-2010-2813, poses a denial-of-service risk when passwords containing 8-bit characters are used to log in.

I quite don't understand why something like a 8-bit character could cause a denial of service risk?

 

I know there are some ways to do a dos attack, but I never heard of this before, could anyone point me in the right direction?

Thanks

 

[xylex]

Looking at the bug report and patch, the denial of service issue doesn't have anything specific to do with 8 bit characters.  Rather, it looks like the logic dealing with the issue that their quoteimap() function didn't work well with 8 bit characters (plenty of reasons this might occur), so they had different handling for 8 bit characters, and this alternate path had the defect.

[cssfreakie]

alrighty, i'll have a look into that. I am certainly not a security guru

 

Thanks mate!

[cssfreakie]

hmm i read a bit and a bit, and i think i found something that might be useful here too.: http://xforce.iss.net/xforce/xfdb/61124

It seems that by entering 8 bit characters in the  username and or password field the processing script, tries to process them as 7-bit but fails in doing so, and by doing so it consumes large amounts of processing power, making the server go nuts (small joke for squirlmail 0_o ).

 

I tried to read the patch you linked to, but those are native functions I think to squirlmail and written in a rather odd format for my understanding.

May I assume that by forcing utf8 for own input values it prevents from this sort of attacks?

Sorry if the above sounds stupid, as a non native speaker, this is what i think is the core of the problem. (sending characters to process that consume to much memory, making the server go banana's)