Improve the mail header injection feature

k-tamura · May 22, 2018 · 505d37a · 505d37a
1 parent f1b69c1
commit 505d37a
Show file tree

Hide file tree

Showing 6 changed files with 8 additions and 28 deletions.
diff --git a/src/main/java/org/t246osslab/easybuggy4sb/vulnerabilities/MailHeaderInjectionController.java b/src/main/java/org/t246osslab/easybuggy4sb/vulnerabilities/MailHeaderInjectionController.java
@@ -34,12 +34,6 @@
 @Controller
 public class MailHeaderInjectionController extends AbstractController {
 
-	@Value("${spring.mail.username}")
-	private String username;
-
-	@Value("${spring.mail.password}")
-	private String password;
-
 	// administrator's mail address
 	@Value("${mail.admin.address}")
 	private String adminAddress;
@@ -50,11 +44,6 @@ public class MailHeaderInjectionController extends AbstractController {
 	@RequestMapping(value = "/mailheaderijct", method = RequestMethod.GET)
 	public ModelAndView doGet(ModelAndView mav, Locale locale) {
 	    setViewAndCommonObjects(mav, locale, "mailheaderinjection");
-		if (isReadyToSendEmail()) {
-			mav.addObject("isReady", "yes");
-        } else {
-            mav.addObject("note", msg.getMessage("msg.smtp.server.not.setup", null, locale));
-        }
 		return mav;
 	}
 
@@ -90,10 +79,6 @@ public ModelAndView doPost(ModelAndView mav, HttpServletRequest req, Locale loca
 		return doGet(mav, locale);
 	}
 
-	private boolean isReadyToSendEmail() {
-	    return !(StringUtils.isBlank(username) || StringUtils.isBlank(password) || StringUtils.isBlank(adminAddress));
-	}
-
 	private void sendMail(String subject, String text, List<File> uploadedFiles) throws MessagingException {
 		MimeMessage message = javaMailSender.createMimeMessage();
 		MimeMessageHelper helper = new MimeMessageHelper(message, true);

diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
@@ -11,12 +11,12 @@ spring.datasource.driver-class-name=org.apache.derby.jdbc.EmbeddedDriver
 spring.datasource.platform=
 spring.datasource.continue-on-error=true
 
-spring.mail.host=smtp.gmail.com
-spring.mail.port=587
+spring.mail.host=localhost
+spring.mail.port=25
 spring.mail.username=
 spring.mail.password=
-spring.mail.properties.mail.smtp.auth=true
-spring.mail.properties.mail.smtp.starttls.enable=true
+spring.mail.properties.mail.smtp.auth=false
+spring.mail.properties.mail.smtp.starttls.enable=false
 
 spring.ldap.embedded.base-dn=dc=t246osslab,dc=org
 spring.ldap.embedded.port=8389
@@ -46,4 +46,4 @@ account.lock.time=3600000
 account.lock.count=5
 
 ### Send Mail feature
-mail.admin.address=
+mail.admin.address=root@localhost
diff --git a/src/main/resources/messages.properties b/src/main/resources/messages.properties
@@ -235,7 +235,7 @@ msg.note.open.redirect            = You can login with <code>admin</code> and <c
 msg.note.path.traversal           = Change the query string to <code>template=../uid/adminpassword.txt?</code>, then you can see the content of adminpassword.txt in this page.
 msg.note.roundofferror            = Round off error occurs if you enter 1. 
 msg.note.session.fixation         = You can login with <code>admin</code> and <code>password</code>. The URL rewriting feature works on this page in order to support clients that cannot use cookie, so the session fixation attack is possible.
-msg.note.slowregex                = If you enter string to <code>aaaaaaaaaaaaaaaaaaaaaaaaaaaaaあ</code>, parse processing will take several tens of seconds<br> &nbsp;If you enter string to <code>aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaあ</code>, then no response will be received.
+msg.note.slowregex                = If you enter string to <code>aaaaaaaaaaaaaaaaaaaaaaaaaaaaa\u3042</code>, parse processing will take several tens of seconds<br> &nbsp;If you enter string to <code>aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\u3042</code>, then no response will be received.
 msg.note.sqlijc                   = You can see a secret number if you enter <code>Mark</code> and <code>password</code>. You can see other users information if you enter password to <code>' OR '1'='1</code>
 msg.note.strplusopr               = If you enter a large number then the processing will take several tens of seconds because the string is created by "+" (plus) operator.
 msg.note.threadleak               = Thread leak occurs every time you load this page.
@@ -258,7 +258,6 @@ msg.reverse.color.complete        = The color reversal of the image file has com
 msg.reverse.color.fail            = The color reversal of the image file fails.
 msg.select.upload.file            = Select a file to upload.
 msg.sent.mail                     = The mail was sent successfully.
-msg.smtp.server.not.setup         = Mail properties are not correctly set in <code>application.properties</code>.
 msg.unknown.exception.occur       = Unknown exception occurs : {0}
 msg.update.records                = Updated {0} records.
 msg.update.users                  = You can update users information.

diff --git a/src/main/resources/messages_en.properties b/src/main/resources/messages_en.properties
@@ -235,7 +235,7 @@ msg.note.open.redirect            = You can login with <code>admin</code> and <c
 msg.note.path.traversal           = Change the query string to <code>template=../uid/adminpassword.txt?</code>, then you can see the content of adminpassword.txt in this page.
 msg.note.roundofferror            = Round off error occurs if you enter 1. 
 msg.note.session.fixation         = You can login with <code>admin</code> and <code>password</code>. The URL rewriting feature works on this page in order to support clients that cannot use cookie, so the session fixation attack is possible.
-msg.note.slowregex                = If you enter string to <code>aaaaaaaaaaaaaaaaaaaaaaaaaaaaaあ</code>, parse processing will take several tens of seconds<br> &nbsp;If you enter string to <code>aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaあ</code>, then no response will be received.
+msg.note.slowregex                = If you enter string to <code>aaaaaaaaaaaaaaaaaaaaaaaaaaaaa\u3042</code>, parse processing will take several tens of seconds<br> &nbsp;If you enter string to <code>aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\u3042</code>, then no response will be received.
 msg.note.sqlijc                   = You can see a secret number if you enter <code>Mark</code> and <code>password</code>. You can see other users information if you enter password to <code>' OR '1'='1</code>
 msg.note.strplusopr               = If you enter a large number then the processing will take several tens of seconds because the string is created by "+" (plus) operator.
 msg.note.threadleak               = Thread leak occurs every time you load this page.
@@ -258,7 +258,6 @@ msg.reverse.color.complete        = The color reversal of the image file has com
 msg.reverse.color.fail            = The color reversal of the image file fails.
 msg.select.upload.file            = Select a file to upload.
 msg.sent.mail                     = The mail was sent successfully.
-msg.smtp.server.not.setup         = Mail properties are not correctly set in <code>application.properties</code>.
 msg.unknown.exception.occur       = Unknown exception occurs : {0}
 msg.update.records                = Updated {0} records.
 msg.update.users                  = You can update users information.

diff --git a/src/main/resources/messages_ja.properties b/src/main/resources/messages_ja.properties
@@ -136,7 +136,7 @@ label.memory.used             = \u73FE\u5728\u5024
 label.metaspace               = Metaspace
 label.name                    = \u540D\u524D
 label.numbers                 = \u6570\u5B57
-label.obelus                  = \u00f7
+label.obelus                  = \u00F7
 label.password                = \u30D1\u30B9\u30EF\u30FC\u30C9
 label.permgen.space           = PermGen\u9818\u57DF
 label.phone                   = \u96FB\u8A71\u756A\u53F7
@@ -258,7 +258,6 @@ msg.reverse.color.complete        = \u753B\u50CF\u30D5\u30A1\u30A4\u30EB\u306E\u
 msg.reverse.color.fail            = \u753B\u50CF\u30D5\u30A1\u30A4\u30EB\u306E\u8272\u53CD\u8EE2\u306B\u5931\u6557\u3057\u307E\u3057\u305F\u3002
 msg.select.upload.file            = \u30A2\u30C3\u30D7\u30ED\u30FC\u30C9\u3059\u308B\u30D5\u30A1\u30A4\u30EB\u3092\u9078\u629E\u3057\u3066\u4E0B\u3055\u3044\u3002
 msg.sent.mail                     = \u30E1\u30FC\u30EB\u304C\u6B63\u5E38\u306B\u9001\u4FE1\u3055\u308C\u307E\u3057\u305F\u3002
-msg.smtp.server.not.setup         = \u30E1\u30FC\u30EB\u30D7\u30ED\u30D1\u30C6\u30A3\u304C<code>application.properties</code>\u306B\u6B63\u3057\u304F\u8A2D\u5B9A\u3055\u308C\u3066\u3044\u307E\u305B\u3093\u3002
 msg.unknown.exception.occur       = \u4F55\u3089\u304B\u306E\u4F8B\u5916\u304C\u767A\u751F\u3057\u307E\u3057\u305F : {0}
 msg.update.records                = {0}\u4EF6\u66F4\u65B0\u3057\u307E\u3057\u305F\u3002
 msg.update.users                  = \u30E6\u30FC\u30B6\u30FC\u60C5\u5831\u3092\u4E00\u62EC\u3067\u66F4\u65B0\u3057\u307E\u3059\u3002

diff --git a/src/main/resources/templates/mailheaderinjection.html b/src/main/resources/templates/mailheaderinjection.html
@@ -3,7 +3,6 @@
 <div th:replace="head"></div>
 <body style="margin-left: 20px; margin-right: 20px;">
 	<div th:replace="header"></div>
-	<th:block th:if="${isReady != null}">
 		<form action="mailheaderijct" method="post"
 			enctype="multipart/form-data">
 			<p th:text="#{description.send.mail}" />
@@ -33,7 +32,6 @@
 				</tr>
 			</table>
 		</form>
-	</th:block>
     <div th:replace="messages"></div>
 </body>
 </html>