Thread: Re: [SM-PLUGINS] G/PGP plugin

Brought to you by: jangliss, jervfors, kink, pdontthink

squirrelmail-plugins

Re: [SM-PLUGINS] G/PGP plugin

From: Tomas K. <to...@us...> - 2012-04-21 15:34:24


carst wrote:
> 
> Anyway, much of the old plugin version still works. Let's get it fixed and
> offer a beta on the plugin page for download.
> 
old plugin version has at least three security issues, serious
performance/memory problem with keyrings that have trusted keys, hardcoded
delays that will piss any user and more.
-- 
View this message in context: http://old.nabble.com/G-PGP-plugin-tp33722382p33725769.html
Sent from the squirrelmail-plugins mailing list archive at Nabble.com.

Re: [SM-PLUGINS] G/PGP plugin

From: carst <ca...@ca...> - 2012-04-23 18:22:33


Tomas Kuliavas wrote:
> 
> old plugin version has at least three security issues, serious
> performance/memory problem with keyrings that have trusted keys, hardcoded
> delays that will piss any user and more.
> 

Are those issues so fundamental, that it doesn't make sense to rewrite the
old plugin and write a new one instead?
-- 
View this message in context: http://old.nabble.com/G-PGP-plugin-tp33722382p33732512.html
Sent from the squirrelmail-plugins mailing list archive at Nabble.com.

Re: [SM-PLUGINS] G/PGP plugin

From: Eray A. <era...@ca...> - 2012-04-24 07:54:27

On 2012-04-23 8:45 PM, carst wrote:
> Are those issues so fundamental, that it doesn't make sense to rewrite the
> old plugin and write a new one instead?

Well, with the current plugin, your private key is kept on the server
and is accessible to the web server.  That's not good security and I can
see why one would not be really enthusiastic about the re-write.  A new
design is needed - not a simple re-write - and I am not sure if it is
doable without major surgery.

-- 
Eray Aslan

Re: [SM-PLUGINS] G/PGP plugin

From: Tomas K. <to...@us...> - 2012-04-24 16:06:49


carst wrote:
> 
> 
> Tomas Kuliavas wrote:
>> 
>> old plugin version has at least three security issues, serious
>> performance/memory problem with keyrings that have trusted keys,
>> hardcoded delays that will piss any user and more.
>> 
> 
> Are those issues so fundamental, that it doesn't make sense to rewrite the
> old plugin and write a new one instead?
> 
XSS and file deletion problems are simple enough and they can be fixed
easily, if you know where they are. I think bugtraq report has enough
information about them. even if bugtraq does not disclose it, "file
deletion" can be performed only with some PHP commands.

Remote execution issue is different beast and if you can't get report
information from Stephen Escher, you will be forced to review and sanitize
every call to be safe. That's lots of calls and lots of legacy cruft.

For me it took three months and Zend Studio Pro license to review plugin.
Some changes required changes in webmail itself. 
-- 
View this message in context: http://old.nabble.com/G-PGP-plugin-tp33722382p33740149.html
Sent from the squirrelmail-plugins mailing list archive at Nabble.com.