mailing list archives
From: batsy () VAPOUR NET (jamie)
Date: Fri, 18 Jul 1997 17:32:27 +0000
Here's a heads up to anyone running procmail v3.11pre4.
In the procmailex man page there is an example of a simple fileserver.
The problem with the example is that after getting it working, I wanted
to see if the MAILDIR variable would isolate procmail to that directory.
The recipie in the man page sets up the fileserver so that incoming mail
with the subject: request <filename> returns the file from $HOME/fileserver.
If someone were to use this recipe, all a villain would have to send would be:
Subject: request /etc/passwd
and procmail cheerfully returns the passwd file, or any file that is
readable by the user that procmail suid's to. This could be particularly
bad if someone happened to have an infobot owned by root.
On a more practical level, an unscrupulous cad could just request
/var/mail/username and recieve the unsuspecting users mailfile.
I will leave the infinite possibilities to the creativity of the
Below I have included the offending text for your perusal.
* !^X-Loop: yourname () your main mail address
MAILDIR=$HOME/fileserver # chdir to the fileserver directory
:0 h # extract the requested filename(s)
FILES=| sed -n -e 's/^Subject:.*request \(.*\)/\1/p'
:0 f # reverse the mailheader
| formail -rA "X-Loop: yourname () your main mail address"
| (cat; cat $FILES) | $SENDMAIL -oi -t
Nice network. We'll take it.
Quality by Defective Technologies