Cheng Bruce writes:
Hi Serge,Thank you for your soon reply. Before you reply to me, I have looked .mailfiter several times, but I still can't figure out it. And I focused on "sh: -c:". don't know where -c is located in the scripts. This is used for user's autoreply, and it works, but just sometimes will be happened. Would you please correct my fault ? This following is the information of .mailfilter #============================================ logfile "/home/domains/YYYY.com/laura/mailfilter.log" VERBOSE 9 # # autoreply # if (/^Subject:.*/) { SUBJECT=$MATCH } # These emails won't do autoreply if (! (/^From:[EMAIL PROTECTED]/ || /^From:[EMAIL PROTECTED]/ || /^From:[EMAIL PROTECTED]/ || /^From:[EMAIL PROTECTED]/ || /^From:[EMAIL PROTECTED]/ || /^From:[EMAIL PROTECTED]/ ) ) { cc "| mailbot -A 'X-Sender: $FROM' -A 'From: $FROM' -d autoresponsedb -s 'Out of Office AutoReply: $SUBJECT' -m '$HOME/Maildir/autoreply.cf' $SENDMAIL -t -f ''" } to "$HOME/Maildir/." #==========================================
This is a classical mistake made by those who do not understand how shell escaping and metacharacters should be quoted.
If you check your mail queue, you will probably find an E-mail message with a subject line that contains an apostrophe. It's also remotely possible that the message has an apostrophe in its return address, and not the subject line, but with 99% certainty it will be a subject line with an apostrophe.
For the sake of argument, the original message will have a subject line whose contents will be something like:
Subject: Mike's lunch.Your maildrop recipe will, subsequently attempt to execute the following command:
cc "| mailbot -A [...] -s 'Out of Office AutoReply: Subject: Mike's lunch' [...]" And there's your syntax error.You are very fortunate that you spotted this problem when it is a simple syntax error.
If a hostile attacker is aware of your broken maildrop recipe, he would then simply send you a message with the following subject line:
Subject: p0wn3d '; rm -rf $HOME #And kiss your ass good bye, as this message will wind up executing "rm -rf $HOME" in your home directory.
Do _NOT_ write maildrop recipes that invoke external commands unless your KNOW WHAT YOU ARE DOING.
At the very minimum, change:
SUBJECT=$MATCH
to:
SUBJECT=escape($MATCH)
FROM=escape($FROM)
pgpzkAQIbHaeb.pgp
Description: PGP signature
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
