Hi,On Thursday, Oct 23, 2003, at 10:31 Europe/Amsterdam, Paul J Stevens wrote:
<snip>
If it doesn't work its because pipe.c is slightly bogus.The popen call to the SENDMAIL program passes the From or Reply-To values to the program as parameters without proper shell escaping !!! This is an exploit waiting to happen (SECURITY ALERT :-).
I've tried to execute some commands by setting the From address. And I succeeded.. Probably your MTA will check if the email address is valid, but if it doesn't you can run arbitrary commands with the privileges of the mail-user. :(
Try the attached trivial patch.
In addition to adding quotes, we should escape all quotes in the address string.
I've made the attached patch, which should tackle the problem. I will create an update for 1.2 and for 2.0alpha. Please shoot at the patch if you thinkIlja, what is your take.
it is bogus! Cheers, Ilja
pipe.patch
Description: Binary data
-- IC&S Koningsweg 4 3582 GE UTRECHT PGP-key: http://www.ic-s.nl/keys/ilja.txt
