headers
Tomas Kuliavas | 21 Apr 2012 17:34
Picon
Gravatar

Re: G/PGP plugin


carst wrote:
> 
> Anyway, much of the old plugin version still works. Let's get it fixed and
> offer a beta on the plugin page for download.
> 
old plugin version has at least three security issues, serious
performance/memory problem with keyrings that have trusted keys, hardcoded
delays that will piss any user and more.
--

-- 
View this message in context: http://old.nabble.com/G-PGP-plugin-tp33722382p33725769.html
Sent from the squirrelmail-plugins mailing list archive at Nabble.com.

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
-----
squirrelmail-plugins mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-plugins <at> lists.sourceforge.net
List archives: http://news.gmane.org/gmane.mail.squirrelmail.plugins
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-plugins
Permalink | Reply |
headers
carst | 23 Apr 2012 19:45
Picon
Favicon

Re: G/PGP plugin


Tomas Kuliavas wrote:
> 
> old plugin version has at least three security issues, serious
> performance/memory problem with keyrings that have trusted keys, hardcoded
> delays that will piss any user and more.
> 

Are those issues so fundamental, that it doesn't make sense to rewrite the
old plugin and write a new one instead?
--

-- 
View this message in context: http://old.nabble.com/G-PGP-plugin-tp33722382p33732512.html
Sent from the squirrelmail-plugins mailing list archive at Nabble.com.

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
-----
squirrelmail-plugins mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-plugins <at> lists.sourceforge.net
List archives: http://news.gmane.org/gmane.mail.squirrelmail.plugins
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-plugins
Permalink | Reply |
headers
Eray Aslan | 24 Apr 2012 09:36
Picon

Re: G/PGP plugin

On 2012-04-23 8:45 PM, carst wrote:
> Are those issues so fundamental, that it doesn't make sense to rewrite the
> old plugin and write a new one instead?

Well, with the current plugin, your private key is kept on the server
and is accessible to the web server.  That's not good security and I can
see why one would not be really enthusiastic about the re-write.  A new
design is needed - not a simple re-write - and I am not sure if it is
doable without major surgery.

--

-- 
Eray Aslan

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
-----
squirrelmail-plugins mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-plugins <at> lists.sourceforge.net
List archives: http://news.gmane.org/gmane.mail.squirrelmail.plugins
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-plugins
Permalink | Reply |
headers
Tomas Kuliavas | 24 Apr 2012 18:06
Picon
Gravatar

Re: G/PGP plugin


carst wrote:
> 
> 
> Tomas Kuliavas wrote:
>> 
>> old plugin version has at least three security issues, serious
>> performance/memory problem with keyrings that have trusted keys,
>> hardcoded delays that will piss any user and more.
>> 
> 
> Are those issues so fundamental, that it doesn't make sense to rewrite the
> old plugin and write a new one instead?
> 
XSS and file deletion problems are simple enough and they can be fixed
easily, if you know where they are. I think bugtraq report has enough
information about them. even if bugtraq does not disclose it, "file
deletion" can be performed only with some PHP commands.

Remote execution issue is different beast and if you can't get report
information from Stephen Escher, you will be forced to review and sanitize
every call to be safe. That's lots of calls and lots of legacy cruft.

For me it took three months and Zend Studio Pro license to review plugin.
Some changes required changes in webmail itself. 
--

-- 
View this message in context: http://old.nabble.com/G-PGP-plugin-tp33722382p33740149.html
Sent from the squirrelmail-plugins mailing list archive at Nabble.com.

------------------------------------------------------------------------------
(Continue reading)

Permalink | Reply |

Gmane