[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] New SMTP smuggling attack
From: Steffen Nurpmeso <steffen () sdaoden ! eu>
Date: 2024-04-30 22:48:23
Message-ID: 20240430224823.uA8Nr1Cp () steffen%sdaoden ! eu
[Download RAW message or body]
Mark Esler wrote in
<ZjBHOEHylGAaIo57@moon>:
|To mitigate future end-of-data sequence attacks, like SMTP Smuggling, MTAs
|should comply with RFC 5321 section 4.1.1.4 [0] to strip control
|characters other than <SP>, <HT>, <CR>, and <LF> in the DATA section of
|SMTP messages.
Given that RFC 733 is from 1977 and RFC 822 is from 1982 i feel
this entire thread is exaggerating.
The smuggling problem solely was rooted in the LF / CRLF "wars"
from at minimum the early 70s (Unix and more), with terminal
drivers doing auto-translation on-the-fly etc etc etc.
The internet history list may be worthwhile for this, or examining
the history of Unix programs. Ie, in January i also (funny)
talked to John Klensin on an IETF list saying
[.]The CR/LF "problem" seems to have been "addressed" in
UNIX as early as 1972, ie "6/12/72 STTY (II)" gives
020 map CR into LF; echo LF or CR as LF-CR
...
Mode 020 causes input carriage returns to be turned into new-lines;
input of either CR or LF causes LF-CR both to be echoed
(used for GE TermiNet 300's and other terminals without the
newline function).
In 1974 it became
-nl allow carriage return for new-line,
and output CR-LF for carriage return or new-line
nl accept only new-line to end lines
Which makes me *think* that "Houston, we have a problem" was
ACKnowledged, and in order not to be a crook something would have
been done about it, saving even a byte per line. But i do not
know, this was all military and other high sphere academics by
then. Interesting, by the way, that "so many" expensive decisions
were deemed necessary[.]
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic