Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Wed, 24 Dec 2008 12:49:57 -0500 (EST)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com
cc: coley@...re.org
Subject: Re:  Re: CVE Request - roundcubemail


On Wed, 17 Dec 2008, Florian Weimer wrote:

> > I bet there's a chunk of these in various applications.  I believe Perl
> > has similar functionality.
>
> Not quite, the s///e operator uses a compile-time transformation for
> the replacement expression, so it shouldn't be affected by this very
> issue.
>
> \Q \E pairs are an issue in the pattern, not the replacement.
> Mistakes in this area increase the attack surface by exposing the
> regular expression compiler to potentially hostile input, and it may
> lead to denial-of-service vulnerabilities because some implementations
> do not cope well with certain patterns.  Perhaps CWE-624 should be
> split to reflect this?

We'll take a closer look at it.

I'm not exactly sure what you're saying here, though.  Do you mean that if
attackers can insert a \Q or \E into the pattern, then they might be able
to effectively modify the pattern in unexpected ways?  I could imagine how
inserting a \E followed by something like "." would change the meaning of
the regexp.

- Steve

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux