Must have been because of 0.1.13 + 10/13 on Friday? :)
Upgraded to 0.1.13-beta14!
Justin.
On Fri, 13 Oct 2006, Robert Felber wrote:
changes:
core:
- mylog() does now pass all arguments with a preceding %s
format-string to avoid, that remote format string may be executed.
See NOTEs.
NOTES:
If $DEBUG = 1; then policyd-weight may be vulnerable to a remote and local
sprintf vulnerability if old Sys::Syslog versions are in place.
A syslog call for the cache queries was handed straight to the syslog()
routine without preceding a format-string %s. If the MTA did not deny
illegal characters then a remote user may send a special format string as
sender which would execute at that debug message:
mylog(info=cache_query: $query $ip $sender $rate) if $DEBUG;
I cannot find information in which Sys::Syslog version this issue has been
fixed, as such I release this security fix. It is highly recommended to
update Sys::Syslog, too. This issue is rather old and might be read here:
http://news.perl-foundation.org/2005/12/updated_perl_modules_alleviate.html
You may check whether you are vulnerable following way:
a) look if you have $DEBUG = 1; set
if so:
b) telnet localhost 12525 (or the port under which policyd-weight runs)
[EMAIL PROTECTED]
helo_name=somedomain.com\n
client_address=1.2.3.4\n
request=smtpd_access_policy\n
\n
\n
check your log if you have following entry:
Oct 13 12:15:05 devil postfix/policyd-weight[14219]: cache_query: nask
1.2.3.4 [EMAIL PROTECTED]
if you see a 0 before somedomain.com you are vulnerable, if you see
an %i you are not vulnerable.
--
Robert Felber (PGP: 896CF30B)
Munich, Germany
Policyd-weight Mailinglist - http://www.policyd-weight.org/
Policyd-weight Mailinglist - http://www.policyd-weight.org/
