Antoine Duprat created JAMES-2144:
-------------------------------------
Summary: As an attacker I can overwrite JMAP attachment ContentType
Key: JAMES-2144
URL: https://issues.apache.org/jira/browse/JAMES-2144
Project: James Server
Issue Type: Bug
Components: JMAP
Reporter: Antoine Duprat
Assignee: Antoine Duprat
Action: As an attacker I can overwrite JMAP attachment ContentType in anyone
mailbox.
Access required:
None (sending a mail)
Exact content of the attachment whose ContentType to be replaced
Cause of the vulnerability: The content-type is not taken into account in the
AttachmentId computation. Only content is. Hence sending the same message two
time with different content type will result in a single attachment being
stored, hence a content-type overwrite.
Exemple of exploit:
usera sends a PDF to various persons.
I receive it.
I send the same PDF to myself, but with Content-Type text/plain.
The Content-Type of the attachment is now changed for each persons.
Fixing it:
We will change the AttachmentId computation algorithm to take into account
content-type. Different content type will mean different attachmentId and thus
no content-type overwrite.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org
