Home page logo

bugtraq logo Bugtraq mailing list archives

Re: mail Reply-To field exploit
From: Thomas Roessler <roessler () DOES-NOT-EXIST ORG>
Date: Mon, 6 Nov 2000 12:23:20 +0100

On 2000-11-05 21:56:17 +0000, gregory duchemin wrote:

Note: It's NOT A BUG in mail, sendmail or mail.local but a
weakness caused by a bindly rfc compliance. I didn't try elm,
mailx and others so feedback are welcomed

No, it's not a weakness caused by blind rfc compliance, but a
deliberate decision by those who wrote mailx.

You can - easily - write MUAs which don't fall for shell meta
characters in addresses. You just have to avoid using popen(3), and
generally avoid the shell when passing things to other programs.

Actually, mailx gets this partially right by using execvp to pass
arguments to sendmail.

However, please have a look at the following comment in front of the
outof() routine in mailx' names.c module, and at the code in that

   216  /*
   217   * For each recipient in the passed name list with a /
   218   * in the name, append the message to the end of the named file
   219   * and remove him from the recipient list.
   220   *
   221   * Recipients whose name begins with | are piped through the given
   222   * program and removed.
   223   */
   224  struct name *
   225  outof(names, fo, hp)
   226          struct name *names;
   227          FILE *fo;
   228          struct header *hp;

(YMMV with respect to line numbers; I'm currently looking at
Debian's version of mailx-8.1.1.)

Thomas Roessler                         <roessler () does-not-exist org>

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]