
FastMail.FM Security Vulnerabilities - mike-cardwell
https://grepular.com/FastMail_FM_Security_Vulnerabilities
======
Auguste

      I disclosed them responsibly and they were fixed before I published this blog post.
    

As a Fastmail.fm user, thanks for your work in improving the service by
notifying the team of these vulnerabilities.

------
MichaelGG
Does anyone else find it rather insane that SVG allows bundling code? "Active"
documents like PDF and Office have demonstrated the problems associated. Why
does a vector graphic format need scripts?

~~~
rpsw
When you consider SVG can be seen as an potential alternative to Flash for
some projects, it is not hard to understand why manipulation through scripting
is a desired feature.

~~~
MichaelGG
So instead of creating a vector format that can be safely used and manipulated
from a containing environment (like any other "dumb" image format), they
wanted to go make a whole new rich document system? Sigh.

------
wulczer
Would serving attachment previews from a separate domain, like fastmail-
usercontent.fm, help?

~~~
mike-cardwell
Using a separate domain to display the attachments is a good idea. Gmail does
it. It is mentioned towards the end of the blog post. However, that still
doesn't get rid of the vulnerability, it just makes it less dangerous.

There should be a strict whitelist of allowed content types, and anything not
on that list should be download only. The trouble is, people tend to put
"image/*" on that list, because they don't know what an SVG is or what it can
do.

------
wingo
Nice work, and (as another fastmail.fm user) thank you for the responsible
disclosure. May it amply repay you in consulting gigs :)

Regarding the script injection from image file names, there is a simple
solution to this problem: separate the data types of strings and document
structure. For example:

[http://www.gnu.org/software/guile/manual/html_node/Types-
and...](http://www.gnu.org/software/guile/manual/html_node/Types-and-the-
Web.html)

------
rvschuilenburg
I noticed my e-mail provider also gave me the JS popup when i clicked the SVG
attachment. They are using Horde. Possible horde security flaw?

~~~
mike-cardwell
If the JavaScript executed, it's a "probable" critical security flaw, rather
than a "possible" one. Are they using the latest version? Would you be able to
submit a bug report to your provider and/or the Horde project?

[edit] I have alerted security@horde.org

~~~
rvschuilenburg
I've sent them an e-mail. I will let you know when i know more :)

~~~
mike-cardwell
Thanks. I am currently discussing the problem with Jan Schneider (the core
developer and a founding member of Horde LLC) in the #horde IRC channel on
Freenode.

[edit] They've confirmed the bug and intend to fix it by making
"image/svg+xml" attachments download only. This is the same fix that FastMail
used. Of course, everyone will need to upgrade when this has been done.

~~~
rvschuilenburg
My e-mail provider has fixed this by displaying the attachment as plain text.
I guess until they update to the newest horde where it has been fixed.

~~~
mike-cardwell
That's an impressively fast fix for an e-mail provider. Are you able to
disclose who you are using?

~~~
rvschuilenburg
I agree, i was also impressed. It's a Dutch provider, dds.nl

