Bugtraq mailing list archives
procmail
From: batsy () VAPOUR NET (jamie)
Date: Fri, 18 Jul 1997 17:32:27 +0000
Greetings Citizen! Here's a heads up to anyone running procmail v3.11pre4. In the procmailex man page there is an example of a simple fileserver. The problem with the example is that after getting it working, I wanted to see if the MAILDIR variable would isolate procmail to that directory. The recipie in the man page sets up the fileserver so that incoming mail with the subject: request <filename> returns the file from $HOME/fileserver. If someone were to use this recipe, all a villain would have to send would be: Subject: request /etc/passwd and procmail cheerfully returns the passwd file, or any file that is readable by the user that procmail suid's to. This could be particularly bad if someone happened to have an infobot owned by root. On a more practical level, an unscrupulous cad could just request /var/mail/username and recieve the unsuspecting users mailfile. I will leave the infinite possibilities to the creativity of the gentle reader. Below I have included the offending text for your perusal. PROCMAILEX(5) PROCMAILEX(5) :0 * !^X-Loop: yourname () your main mail.address * !^Subject:.*Re: * !^FROM_DAEMON * ^Subject:.*request { MAILDIR=$HOME/fileserver # chdir to the fileserver directory :0 h # extract the requested filename(s) FILES=| sed -n -e 's/^Subject:.*request \(.*\)/\1/p' :0 f # reverse the mailheader | formail -rA "X-Loop: yourname () your main mail.address" :0 | (cat; cat $FILES) | $SENDMAIL -oi -t } Nice network. We'll take it. (jamie|batsy)@vapour.net Quality by Defective Technologies
Current thread:
- procmail jamie (Jul 18)
- Re: procmail Illuminatus Primus (Jul 20)
- Re: procmail Brock Rozen (Jul 21)
- Re: procmail Casper Dik (Jul 21)
- Re: procmail Olaf Kirch (Jul 21)
- Re: procmail Casper Dik (Jul 22)
- Re: procmail Illuminatus Primus (Jul 20)
- AIX ping (Exploit) Bryan P. Self (Jul 20)
- AIX ping, lchangelv, xlock fixes Troy Bollinger (Jul 21)
- Re: procmail Philip Guenther (Jul 20)
- AIX lchangelv (Exploit) Bryan P. Self (Jul 20)
- SNI-16: INN News Server Security Advisory Secure Networks Inc. (Jul 21)