Bugtraq mailing list archives

Re: SECURITY HOLE: FormMail

From: ukkonen () csc fi (Jukka Ukkonen)
Date: Mon, 7 Aug 1995 09:06:21 -0100


Quoting Andrew Macpherson:


Christian Wettergren wrote:

| I don't know about smail and pp though. The key here is however that
| it is _legitimate_ requests for _features_ that is the problem, not
| any bugs. (I usually phrase this as thought-of "pure" data that is
| actually containing meta-data syntax escapes.)

I'm not 100% sure about smail.  PP will only deliver to programs
which the administrator has configured in 2 different tables ---

The program *must* be accessed via a label (join key) in both the users'
table, and the shell table, or from the user's mailfilter file.  The
user-of-execution is specified in the shell table, or is the owner of the
mailfilter, and altogether one feels fairly happy about pp and program
delivery, because the programs are all under local control.  It is impossible
for the submitter to specify a program.


        .. which is also the case with the modern versions of sendmail.
        At least 8.6.11 and more recent are clean. Pipes and filenames
        can be specified only in systems' alias files or in the users'
        ~/.forward files and naturally only when final delivery is
        attempted. As far as I know no, such address will work when
        specified in in-transit messages.

As for sendmail: well we have had bug-of-the-week from that for so long now...
the least one expects is the administrator has installed the checking program
on the program channel.  Personally I will not touch it anywhere where
delivery can be effected.


        Maybe it is wise not to tamper with anything unless one really
        knows what should and what should not be done. Any MTA that can
        offer relatively flexible connectivity will necessarily be so
        darn complicated beast that it is easy to make awful mistakes
        with the configuration.


        Cheers,
                // jau
------
  /    Jukka A. Ukkonen,       FUNET / Centre for Scientific Computing
 /__   M.Sc. (sw-eng & cs)               Tel:   (Home) +358-0-578628
   /   Internet: ukkonen () csc fi                 (Work) +358-0-4573208
  /    Internet: jau () funet fi                 (Mobile) +358-400-606671
 v     X.400:    c=fi, admd=fumail, no prmd, org=csc, pn=jukka.ukkonen

Current thread:

Guidelines for cgi-bin scripts, (continued)
- - Guidelines for cgi-bin scripts Lee Silverman (Aug 08)
    - Re: Guidelines for cgi-bin scripts Dave Andersen (Aug 08)
    - Re: Guidelines for cgi-bin scripts Christian Wettergren (Aug 09)
- Re: SECURITY HOLE: FormMail Andrew Macpherson (Aug 03)
  - Re: SECURITY HOLE: FormMail Christian Wettergren (Aug 04)
    - Re: SECURITY HOLE: FormMail Neil Woods (Aug 05)
    - More holes, was: Re: SECURITY HOLE: FormMail Ivo (Aug 05)
    - My email handler, ~ escapes, etc. Tom (Aug 05)
    - Simple CGI email handler, fixed Tom (Aug 05)
- Re: SECURITY HOLE: FormMail Andrew Macpherson (Aug 04)
  - Re: SECURITY HOLE: FormMail Jukka Ukkonen (Aug 07)