> ... and here is the EXIM EXPLOIT : > https://github.com/RUB-NDS/alpaca-code/blob/master/exploits/smtp/02-exim.md
That's interesting because I expected a 503 no greeting received yet if a throw a "mail from:..." to Exim before EHLO/HELO. But in the case the address given is invalid it is indeed 501 <script>alert(1);</script>: malformed address: alert(1);</script> may not follow <script> without prior greeting. According to debug +all output there is no way to prevent that by ACL because none is called in this case.... mail from: <script>alert(1);</script> 12:33:23 1608459 SMTP<< mail from: <script>alert(1);</script> 12:33:23 1608459 LOG: smtp_syntax_error MAIN 12:33:23 1608459 SMTP syntax error in "mail from: <script>alert(1);</script>" H=... malformed address: alert(1);</script> may not follow <script> 12:33:23 1608459 SMTP>> 501 <script>alert(1);</script>: malformed address: alert(1);</script> may not follow <script> Maybe it's best to not reflect anything already known to be "malformed" to the client? Or add an syntax_error ACL? Or call the command ACL even if a syntax error is detected? Greetings, Wolfgang -- Wolfgang Breyha <[email protected]> | https://www.blafasel.at/ Vienna University Computer Center | Austria -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
