[liberationtech] FOE - feed over email

Mon Mar 14 11:32:56 PDT 2011

Good to hear. I'll update the post as such.

On Mon, Mar 14, 2011 at 9:34 AM, Daniel Margolis <dan at af0.net> wrote:

> http://www.owasp.org/index.php/Avoiding_SQL_Injection#.NET
> *
> *
> * <http://www.owasp.org/index.php/Avoiding_SQL_Injection#.NET>Parameter
> collections such as SqlParameterCollection provide type checking and length
> validation. If you use a parameters collection, input is treated as a
> literal value, and SQL Server does not treat it as executable code and
> therefore the payload can not be injected.*
>
> On Mon, Mar 14, 2011 at 8:30 AM, Steve Weis <steveweis at gmail.com> wrote:
>
>> I wrote a blog post outlining these concerns:
>> http://blog.saweis.net/security-issues-with-feed-over-email
>>
>> On Sun, Mar 13, 2011 at 7:29 PM, Rebecca MacKinnon <
>> rebecca.mackinnon at gmail.com> wrote:
>>
>>>  Hi there. A query was posted to the list about this a couple months
>>> ago. Listmember Steve Weis responded:
>>> ---
>>> Glancing through the code, I don't see any circumvention. It relies on
>>> using a mail provider that supports SSL. That is optional and must be
>>> configured by the end user (see below).
>>>
>>> If a user does not configure FOE to use an SSL email provider,
>>> everything will be sent in the clear. That is easy to filter and could
>>> put end users receiving verboten material at risk.
>>>
>>> Worse, there is no authentication of message payloads from the server.
>>> I think I can spoof a message with a malicious payload that will be
>>> written to disk in the client's RSS catalog (see link below).
>>>
>>> This is somewhat moot because it is Windows-only, requires installing
>>> a client, and no binaries are available for download. That's probably
>>> a good thing.
>>>
>>> A couple issues from a cursory look at the code:
>>> 1. SSL is not required. Someone using this who didn't explicitly use
>>> an email provider supporting SSL will be trivial to track:
>>>
>>> http://code.google.com/p/foe-project/source/browse/trunk/FOE/foe2010-current/Common/OpenPOP-SSL/POP3/POPClient.cs#444
>>> 2. There is no authentication of messages from the server. This could
>>> put clients at risk since they will be saving untrusted content to
>>> disk:
>>> http://code.google.com/p/foe-project/source/browse/trunk/FOE/foe2010-current/Client/FoeClientMessage.cs#290
>>> 3. I suspect the server DB code is vulnerable to SQL injection attack,
>>> although input might be getting properly sanitized by C#'s SqlClient.
>>> I will bet a beer that someone can find an exploit:
>>>
>>> http://code.google.com/p/foe-project/source/browse/trunk/FOE/foe2010-current/Server/FoeServerMessage.cs#259
>>>
>>> Background links:
>>>
>>> http://code.google.com/p/foe-project/
>>>
>>> http://www.defcon.org/images/defcon-18/dc-18-presentations/Ho/DEFCON-18-Ho-FOE.pdf
>>>
>>>
>>>
>>> On Mar 13, 2011, at 10:04 PM, Katrin Verclas wrote:
>>>
>>> Hi, list -- came across this project:
>>> http://code.google.com/p/foe-project/.
>>>
>>> It claims to: FOE (Feed Over Email) is a new tool that allows users to
>>> receive RSS feeds from foreign websites without the need to find a working
>>> proxy server or install any proxy software.
>>>
>>> Technically, FOE is built on top of SMTP and work on most email servers
>>> as long as the user has access to POP3 and SMTP.
>>>
>>> Have not checked it out and it's late but wonder whether anyone has
>>> tested/checked out?
>>>
>>>
>>> Katrin Verclas
>>> MobileActive.org
>>> katrin at mobileactive.org
>>>
>>> skype/twitter: katrinskaya
>>> <%28347%29%20281-7191>(347) 281-7191
>>>
>>> A global network of people using mobile technology for social impact
>>> http://mobileactive.org
>>>
>>> _______________________________________________
>>> liberationtech mailing list
>>> liberationtech at lists.stanford.edu
>>>
>>> Should you need to change your subscription options, please go to:
>>>
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>
>>> If you would like to receive a daily digest, click "yes" (once you click
>>> above) next to "would you like to receive list mail batched in a daily
>>> digest?"
>>>
>>> You will need the user name and password you receive from the list
>>> moderator in monthly reminders.
>>>
>>> Should you need immediate assistance, please contact the list moderator.
>>>
>>> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
>>>
>>>
>>>
>>> _______________________________________________
>>> liberationtech mailing list
>>> liberationtech at lists.stanford.edu
>>>
>>> Should you need to change your subscription options, please go to:
>>>
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>
>>> If you would like to receive a daily digest, click "yes" (once you click
>>> above) next to "would you like to receive list mail batched in a daily
>>> digest?"
>>>
>>> You will need the user name and password you receive from the list
>>> moderator in monthly reminders.
>>>
>>> Should you need immediate assistance, please contact the list moderator.
>>>
>>> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
>>>
>>
>>
>> _______________________________________________
>> liberationtech mailing list
>> liberationtech at lists.stanford.edu
>>
>> Should you need to change your subscription options, please go to:
>>
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>> If you would like to receive a daily digest, click "yes" (once you click
>> above) next to "would you like to receive list mail batched in a daily
>> digest?"
>>
>> You will need the user name and password you receive from the list
>> moderator in monthly reminders.
>>
>> Should you need immediate assistance, please contact the list moderator.
>>
>> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20110314/33c3a4d2/attachment.html>