Hi,
There is some serious security problem with the perl script I have
provided. I hoped that by sending the script to the list, someone
would say: hey guy, you should escape your arguments!
Well, I discoverd it by accident, sending a mail to
_ksad;asdfasdf;asd;fasd;[EMAIL PROTECTED] ( a totally bogus address).
In my log files, there appeared:
May 9 20:49:15 server qmail: 989434155.717701 delivery 1643:
success: qmail-
inject:_fatal:_unable_to_parse_this_line:/To:_ksad;asdfasdf;asd;fasd;a
[EMAIL PROTECTED]/sh:_asdfasdf:_command_not_found/sh:_asd:_command_not_fou
nd/sh:_fasd:_command_not_found/sh:[EMAIL PROTECTED]:_command_not_found/d
id_0+0+1/
Seeing that, I tried to send mail to _test;mail;[EMAIL PROTECTED]
which resulted in
May 9 21:19:35 server qmail: 989435975.128894 delivery 1672:
success: qmail-
inject:_fatal:_unable_to_parse_this_line:/To:_test;mail;[EMAIL PROTECTED]/
No_mail_for_suanetinfo/sh:[EMAIL PROTECTED]:_command_not_found/did_0+0+1/
which proves that the script executed the 'mail' command for user
suanetinfo (the uid for the catchall user).
Oops.
The new script quotes the arguments, like this:
-----------
#!/usr/bin/perl
open(M, "|/var/qmail/bin/qmail-inject \"$ENV{LOCAL}\@$ARGV[0]\"");
while(<STDIN>) { print M $_; }
close M;
-------------
Please, is there *anyone* that can see a new security hole here !?
With much regards,
Ace Suares
> Hi,
>
> I am still trying to establish domainforwarding without creating local
> users, as suggested in an earlier thread. I am only using rcpthosts
> and locals, and NOT virtualdomains, and I am not using the dash-trick
> either.
>
> First, I wrote a perl script based on what David Young sent us in a
> recent message. I call the script 'forward-domain'
>
> --- script forward-domain ---
> #!/usr/bin/perl
> open(M, ">/tmp/aaqmdf111");
> print M "First Argument = $ARGV[0]\n";
> foreach $lala (%ENV) {
> print M "$lala => $hash{$lala}\n";
> }
> while(<STDIN>) { print M $_; }
> close M;
> --- end script ---
>
> As you can see, my perl is not immaculous, and heavily influenced by
> the TeleTubbies.
>
> In LDAP, I entered an entry for domain 'debalie.org' which I want to
> forward to 'balie.nl':
>
> --- begin ldap entry ---
> dn: cn=info,o=De Balie _debalie.org_,c=NL
> objectclass: top
> objectclass: qmailUser
> mail: [EMAIL PROTECTED]
> uid: debalorginfo
> mailalternateaddress: [EMAIL PROTECTED]
> userpassword: secret
> deliveryprogrampath: preline /root/forward-domain test123.com
> qmailuid: 1054
> qmailgid: 1054
> mailmessagestore: /maildir/balie.nl/debalorginfo
> --- end ldap entry ---
>
> This entry contains the 'main' account (just a convenience) and the
> catchall alias. So this account catchaes all mail to the debalie.org
> domain and pipes it through the perl script.
>
> The result of sending a mail to [EMAIL PROTECTED], is a file in /tmp
> with the First Argument test123.com, the whole environment, followed
> by the message. You can inspect this file to see what environment
> variables there are.
>
> One environment var is called LOCAL. It seems (after repeated tests)
> that this contains the LOCAL part of an email address, so to speak the
> part that precedes the @domain.
>
> Now, I change the script to:
> --- begin script ---
> #!/usr/bin/perl
> open(M, "|/var/qmail/bin/qmail-inject $ENV{LOCAL}\@$ARGV[0]");
> while(<STDIN>) { print M $_; }
> close M;
> --- end script ---
>
>
> To me, it seems to work.
> Can anyone verify that ? Are the pitfalls as to security ?
> I assume that a check for the existence of $ARGV[0] would be a good
> thing.
>
> Much regards,
> Ace Suares
>
>
| Ace Suares, Internet Consultancy and Training
| Keizersgracht 132, 1015 CW AMSTERDAM, NL
| phone: 06 557 06 554 (+31 6 557 06 554)
| fax: 08 48 707 705 (+31 84 870 770 5)
| mailto:[EMAIL PROTECTED] PGP Key idea: 0x39B81FE5
| http://www.suares.com
