[mew-int 01229] Re: Mew 2.2 security problems?
Kazu Yamamoto ( 山本和彦 )
kazu at example.com
Wed Dec 18 12:18:14 JST 2002
From: sen_ml at example.com
Subject: [mew-int 01228] Mew 2.2 security problems?
> I haven't managed to find what these security problems are...any
> pointers?
If you are not using S/MIME, no problem.
If you are using S/MIME, the following problems occur:
(1) The filename parameter of Content-Disposition: contains a *full*
path (of a temporary file). This let a bad guy know the exact file
name of the temporary file.
(2) The name of the temporary file abave is static, that is the same
file name is used always.
This may allow a bad guy to use temporary file attacks.
--Kazu
More information about the Mew-int
mailing list