[liberationtech] FOE - feed over email
Rebecca MacKinnon
rebecca.mackinnon at gmail.com
Sun Mar 13 19:29:14 PDT 2011
Hi there. A query was posted to the list about this a couple months ago. Listmember Steve Weis responded:
---
Glancing through the code, I don't see any circumvention. It relies on
using a mail provider that supports SSL. That is optional and must be
configured by the end user (see below).
If a user does not configure FOE to use an SSL email provider,
everything will be sent in the clear. That is easy to filter and could
put end users receiving verboten material at risk.
Worse, there is no authentication of message payloads from the server.
I think I can spoof a message with a malicious payload that will be
written to disk in the client's RSS catalog (see link below).
This is somewhat moot because it is Windows-only, requires installing
a client, and no binaries are available for download. That's probably
a good thing.
A couple issues from a cursory look at the code:
1. SSL is not required. Someone using this who didn't explicitly use
an email provider supporting SSL will be trivial to track:
http://code.google.com/p/foe-project/source/browse/trunk/FOE/foe2010-current/Common/OpenPOP-SSL/POP3/POPClient.cs#444
2. There is no authentication of messages from the server. This could
put clients at risk since they will be saving untrusted content to
disk: http://code.google.com/p/foe-project/source/browse/trunk/FOE/foe2010-current/Client/FoeClientMessage.cs#290
3. I suspect the server DB code is vulnerable to SQL injection attack,
although input might be getting properly sanitized by C#'s SqlClient.
I will bet a beer that someone can find an exploit:
http://code.google.com/p/foe-project/source/browse/trunk/FOE/foe2010-current/Server/FoeServerMessage.cs#259
Background links:
http://code.google.com/p/foe-project/
http://www.defcon.org/images/defcon-18/dc-18-presentations/Ho/DEFCON-18-Ho-FOE.pdf
On Mar 13, 2011, at 10:04 PM, Katrin Verclas wrote:
> Hi, list -- came across this project: http://code.google.com/p/foe-project/.
>
> It claims to: FOE (Feed Over Email) is a new tool that allows users to receive RSS feeds from foreign websites without the need to find a working proxy server or install any proxy software.
>
> Technically, FOE is built on top of SMTP and work on most email servers as long as the user has access to POP3 and SMTP.
>
> Have not checked it out and it's late but wonder whether anyone has tested/checked out?
>
>
> Katrin Verclas
> MobileActive.org
> katrin at mobileactive.org
>
> skype/twitter: katrinskaya
> (347) 281-7191
>
> A global network of people using mobile technology for social impact
> http://mobileactive.org
>
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"
>
> You will need the user name and password you receive from the list moderator in monthly reminders.
>
> Should you need immediate assistance, please contact the list moderator.
>
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20110313/a8e1de96/attachment.html>
More information about the liberationtech
mailing list