Bugtraq mailing list archives
Re: procmail
From: brozen () WEBDREAMS COM (Brock Rozen)
Date: Mon, 21 Jul 1997 10:34:32 -0400
On Mon, 21 Jul 1997, Illuminatus Primus wrote:
Here's a heads up to anyone running procmail v3.11pre4. FILES=| sed -n -e 's/^Subject:.*request \(.*\)/\1/p' | (cat; cat $FILES) | $SENDMAIL -oi -t
Obviously, you were not paying attention to procmailex well enough. It *clearly* states that this is a dangerous script if you play around with it too much "it does not return files that have names starting with a dot, nor does it allow files to be retrieved that are outside the fileserver directory tree (if you decide to munge this example, make sure you do not inadvertently loosen this last restriction)." It tells you straight out that it includes built-in security in the script, but if you play around too much that you should not play around with one specific restriction -- which is the one that doesn't let you retrieve any files outside of the directory you specify. Yes, it can be a security problem, only if you leave it open. Much like creating a root account w/o a password would leave a system vulnerable. Both are security holes, but not flaws in the system. ------------------------------------------------------------------------- | Brock Rozen | brozen () webdreams com | http://www.webdreams.com/~brozen | -------------------------------------------------------------------------
Current thread:
- procmail jamie (Jul 18)
- Re: procmail Illuminatus Primus (Jul 20)
- Re: procmail Brock Rozen (Jul 21)
- Re: procmail Casper Dik (Jul 21)
- Re: procmail Olaf Kirch (Jul 21)
- Re: procmail Casper Dik (Jul 22)
- Re: procmail Illuminatus Primus (Jul 20)
- AIX ping (Exploit) Bryan P. Self (Jul 20)
- AIX ping, lchangelv, xlock fixes Troy Bollinger (Jul 21)
- Re: procmail Philip Guenther (Jul 20)
- AIX lchangelv (Exploit) Bryan P. Self (Jul 20)
- SNI-16: INN News Server Security Advisory Secure Networks Inc. (Jul 21)
- Re: SNI-16: INN News Server Security Advisory Christopher Samuel (Jul 28)
- Re: SNI-16: INN News Server Security Advisory Nathan J. Mehl (Jul 28)
- Re: SNI-16: INN News Server Security Advisory Christopher Samuel (Jul 28)