[liberationtech] FOE - feed over email

Daniel Margolis dan at af0.net
Mon Mar 14 09:34:42 PDT 2011 

http://www.owasp.org/index.php/Avoiding_SQL_Injection#.NET
*
*
* <http://www.owasp.org/index.php/Avoiding_SQL_Injection#.NET>Parameter
collections such as SqlParameterCollection provide type checking and length
validation. If you use a parameters collection, input is treated as a
literal value, and SQL Server does not treat it as executable code and
therefore the payload can not be injected.*

On Mon, Mar 14, 2011 at 8:30 AM, Steve Weis <steveweis at gmail.com> wrote:

> I wrote a blog post outlining these concerns:
> http://blog.saweis.net/security-issues-with-feed-over-email
>
> On Sun, Mar 13, 2011 at 7:29 PM, Rebecca MacKinnon <
> rebecca.mackinnon at gmail.com> wrote:
>
>>  Hi there. A query was posted to the list about this a couple months ago.
>> Listmember Steve Weis responded:
>> ---
>> Glancing through the code, I don't see any circumvention. It relies on
>> using a mail provider that supports SSL. That is optional and must be
>> configured by the end user (see below).
>>
>> If a user does not configure FOE to use an SSL email provider,
>> everything will be sent in the clear. That is easy to filter and could
>> put end users receiving verboten material at risk.
>>
>> Worse, there is no authentication of message payloads from the server.
>> I think I can spoof a message with a malicious payload that will be
>> written to disk in the client's RSS catalog (see link below).
>>
>> This is somewhat moot because it is Windows-only, requires installing
>> a client, and no binaries are available for download. That's probably
>> a good thing.
>>
>> A couple issues from a cursory look at the code:
>> 1. SSL is not required. Someone using this who didn't explicitly use
>> an email provider supporting SSL will be trivial to track:
>>
>> http://code.google.com/p/foe-project/source/browse/trunk/FOE/foe2010-current/Common/OpenPOP-SSL/POP3/POPClient.cs#444
>> 2. There is no authentication of messages from the server. This could
>> put clients at risk since they will be saving untrusted content to
>> disk:
>> http://code.google.com/p/foe-project/source/browse/trunk/FOE/foe2010-current/Client/FoeClientMessage.cs#290
>> 3. I suspect the server DB code is vulnerable to SQL injection attack,
>> although input might be getting properly sanitized by C#'s SqlClient.
>> I will bet a beer that someone can find an exploit:
>>
>> http://code.google.com/p/foe-project/source/browse/trunk/FOE/foe2010-current/Server/FoeServerMessage.cs#259
>>
>> Background links:
>>
>> http://code.google.com/p/foe-project/
>>
>> http://www.defcon.org/images/defcon-18/dc-18-presentations/Ho/DEFCON-18-Ho-FOE.pdf
>>
>>
>>
>> On Mar 13, 2011, at 10:04 PM, Katrin Verclas wrote:
>>
>> Hi, list -- came across this project:
>> http://code.google.com/p/foe-project/.
>>
>> It claims to: FOE (Feed Over Email) is a new tool that allows users to
>> receive RSS feeds from foreign websites without the need to find a working
>> proxy server or install any proxy software.
>>
>> Technically, FOE is built on top of SMTP and work on most email servers as
>> long as the user has access to POP3 and SMTP.
>>
>> Have not checked it out and it's late but wonder whether anyone has
>> tested/checked out?
>>
>>
>> Katrin Verclas
>> MobileActive.org
>> katrin at mobileactive.org
>>
>> skype/twitter: katrinskaya
>> (347) 281-7191
>>
>> A global network of people using mobile technology for social impact
>> http://mobileactive.org
>>
>> _______________________________________________
>> liberationtech mailing list
>> liberationtech at lists.stanford.edu
>>
>> Should you need to change your subscription options, please go to:
>>
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>> If you would like to receive a daily digest, click "yes" (once you click
>> above) next to "would you like to receive list mail batched in a daily
>> digest?"
>>
>> You will need the user name and password you receive from the list
>> moderator in monthly reminders.
>>
>> Should you need immediate assistance, please contact the list moderator.
>>
>> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
>>
>>
>>
>> _______________________________________________
>> liberationtech mailing list
>> liberationtech at lists.stanford.edu
>>
>> Should you need to change your subscription options, please go to:
>>
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>> If you would like to receive a daily digest, click "yes" (once you click
>> above) next to "would you like to receive list mail batched in a daily
>> digest?"
>>
>> You will need the user name and password you receive from the list
>> moderator in monthly reminders.
>>
>> Should you need immediate assistance, please contact the list moderator.
>>
>> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
>>
>
>
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> If you would like to receive a daily digest, click "yes" (once you click
> above) next to "would you like to receive list mail batched in a daily
> digest?"
>
> You will need the user name and password you receive from the list
> moderator in monthly reminders.
>
> Should you need immediate assistance, please contact the list moderator.
>
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20110314/88b74ccd/attachment.html>

More information about the liberationtech mailing list