Jump to content

Recommended Posts

Hi guys,

 

I was just reading on the page of squirlmail in some update the following which made me think (uhmm okay how does that work)

The second, CVE-2010-2813, poses a denial-of-service risk when passwords containing 8-bit characters are used to log in.

I quite don't understand why something like a 8-bit character could cause a denial of service risk?

 

I know there are some ways to do a dos attack, but I never heard of this before, could anyone point me in the right direction?

Thanks ::)

 

Link to comment
https://forums.phpfreaks.com/topic/233234-squirl-mail-small-question-on-dos-risk/
Share on other sites

Looking at the bug report and patch, the denial of service issue doesn't have anything specific to do with 8 bit characters.  Rather, it looks like the logic dealing with the issue that their quoteimap() function didn't work well with 8 bit characters (plenty of reasons this might occur), so they had different handling for 8 bit characters, and this alternate path had the defect.

hmm i read a bit and a bit, and i think i found something that might be useful here too.: http://xforce.iss.net/xforce/xfdb/61124

It seems that by entering 8 bit characters in the  username and or password field the processing script, tries to process them as 7-bit but fails in doing so, and by doing so it consumes large amounts of processing power, making the server go nuts (small joke for squirlmail 0_o ).

 

I tried to read the patch you linked to, but those are native functions I think to squirlmail and written in a rather odd format for my understanding.

May I assume that by forcing utf8 for own input values it prevents from this sort of attacks?

Sorry if the above sounds stupid, as a non native speaker, this is what i think is the core of the problem. (sending characters to process that consume to much memory, making the server go banana's)

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.