Home page logo

bugtraq logo Bugtraq mailing list archives

Re: a few bugs ...
From: roessler () MUTT ORG (Thomas Roessler)
Date: Wed, 15 Mar 2000 09:07:14 +0100

On 2000-03-13 14:31:23 -0000, Maurycy Prodeus wrote:

Mail agent programs like: standard ;P 'mail' from
Berkeley Distribution or mutt, elm perhaps other :),
use sendmail arguments to put email adress where luser
wants to send mail. It's similar problem to crontab's
or lpd's bugs. Example: if you put line with Reply-To:
-X /dev/hda1 ;P or something like that :> to mail
message and luser ( in this case root ) stupid pushes
OK,OK,OK :) ( ofz he'd want to reply ) it may
write/destroy file ( /dev/hda1 :] ). I know it isn't
good example but I only wanted to show idea...

This does NOT work against mutt:

(1) We use execv to start sendmail from within mutt, so no
    shell parsing is involved.

(2) We explicitly tell sendmail to stop option processing
    (giving the "--" command line parameter) _before_ we
    start throwing externally-supplied e-mail addresses at

Please make sure you verify your claims about security
problems _before_ publishing them in public.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]