Home page logo

bugtraq logo Bugtraq mailing list archives

From: batsy () VAPOUR NET (jamie)
Date: Fri, 18 Jul 1997 17:32:27 +0000

Greetings Citizen!

Here's a heads up to anyone running procmail v3.11pre4.

In the procmailex man page there is an example of a simple fileserver.
The problem with the example is that after getting it working, I wanted
to see if the MAILDIR variable would isolate procmail to that directory.

The recipie in the man page sets up the fileserver so that incoming mail
with the subject: request <filename> returns the file from $HOME/fileserver.

If someone were to use this recipe, all a villain would have to send would be:

Subject: request /etc/passwd

and procmail cheerfully returns the passwd file, or any file that is
readable by the user that procmail suid's to. This could be particularly
bad if someone happened to have an infobot owned by root.

On a more practical level, an unscrupulous cad could just request
/var/mail/username and recieve the unsuspecting users mailfile.
I will leave the infinite possibilities to the creativity of the
gentle reader.

Below I have included the offending text for your perusal.

PROCMAILEX(5)                                       PROCMAILEX(5)

              * !^X-Loop: yourname () your main mail address
              * !^Subject:.*Re:
              * !^FROM_DAEMON
              * ^Subject:.*request
                MAILDIR=$HOME/fileserver   # chdir to the fileserver directory

                :0 h             # extract the requested filename(s)
                FILES=| sed -n -e 's/^Subject:.*request \(.*\)/\1/p'

                :0 f                # reverse the mailheader
                | formail -rA "X-Loop: yourname () your main mail address"

                | (cat; cat $FILES) | $SENDMAIL -oi -t

                        Nice network. We'll take it.
                     Quality by Defective Technologies

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]