Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: SECURITY HOLE: FormMail
From: neil () legless demon co uk (Neil Woods)
Date: Sat, 5 Aug 1995 10:26:35 +0100



| Just to be helpful, the way to do it more safely, without massive
| need for checking is to build a complete mail message, including
| header, and hand that to "sendmail -t" which then reads the recipient
| information out of the constructed header.  [Sendmail should of course
| be an invocation of smail or pp, not the BSD program of that name,
| given the history of problems that has had]

I suspect this still wont take care of emails to pipes or files,
i.e  <|/bin/sh> or </.rhosts>, it is a legitimate, albeit unexpected,
mail-command going to sendmail. So unless these two mode are totally
stripped out of the sendmail, there will exist a vulnerability there,
wont it?


No current version of sendmail (v8.*, any vendor supplied version) will
allow mailing directly to programs or files.  In order to deliver mail to
a program or file, it must be indirect (ie. alias expansion, or from a
users .forward file).

Cheers,

Neil
--
Let the Mystery Be, So Watcha Want, Longing In Their Hearts, Hate My Way,
M-Bike, Safari, Uncle June and Aunt Kiyoti, Daisy Dead Petals, Tuff Gnarl.

     ...like a badger with an afro throwing sparklers at the Pope...



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]