Bugtraq mailing list archives

Re: a few bugs ...

From: roessler () MUTT ORG (Thomas Roessler)
Date: Wed, 15 Mar 2000 09:07:14 +0100


On 2000-03-13 14:31:23 -0000, Maurycy Prodeus wrote:

Mail agent programs like: standard ;P 'mail' from
Berkeley Distribution or mutt, elm perhaps other :),
use sendmail arguments to put email adress where luser
wants to send mail. It's similar problem to crontab's
or lpd's bugs. Example: if you put line with Reply-To:
-X /dev/hda1 ;P or something like that :> to mail
message and luser ( in this case root ) stupid pushes
OK,OK,OK :) ( ofz he'd want to reply ) it may
write/destroy file ( /dev/hda1 :] ). I know it isn't
good example but I only wanted to show idea...


This does NOT work against mutt:

(1) We use execv to start sendmail from within mutt, so no
    shell parsing is involved.

(2) We explicitly tell sendmail to stop option processing
    (giving the "--" command line parameter) _before_ we
    start throwing externally-supplied e-mail addresses at
    it.

Please make sure you verify your claims about security
problems _before_ publishing them in public.

--
http://www.mutt.org/

Current thread:

Re: [ Hackerslab bug_paper ] Linux printtool get printer password, (continued)
- - Re: [ Hackerslab bug_paper ] Linux printtool get printer password Tuomas Jormola (Mar 09)
  - RealPlayer and Comet Cursor Keela Robison (Mar 09)
    - Fwd: ircii-4.4 buffer overflow bladi (Feb 07)
    - Re: Fwd: ircii-4.4 buffer overflow Derek Callaway (Mar 11)
    - Re: RealPlayer and Comet Cursor pedward () WEBCOM COM (Mar 09)
    - The Comet Cursor Sarah MacArthur (Mar 09)
    - Network File Resource Vulnerability Eric Hacker (Mar 09)
    - Re: Network File Resource Vulnerability David LeBlanc (Mar 11)
    - misc. cross site scripting issues Marc Slemko (Mar 12)
    - a few bugs ... Maurycy Prodeus (Mar 13)
    - Re: a few bugs ... Thomas Roessler (Mar 15)
    - Re: a few bugs ... Michal Zalewski (Mar 17)
    - Patch: ip_masq_ftp / Linux 2.2.x (extended FTP ALG vulnerabilty) Bjarni R. Einarsson (Mar 20)
    - Microsoft Security Bulletin (MS00-018 Microsoft Product Security (Mar 20)
    - Re: a few bugs ... Coke (Mar 20)
    - Re: a few bugs ... Daniel Jacobowitz (Mar 20)
    - Re: a few bugs ... Michal Zalewski (Mar 20)
    - DoS with NAVIEG PAUL VanDyke (Mar 17)
    - [ANNOUNCE] strace for NT tsabin () RAZOR BINDVIEW COM (Mar 13)
    - Linux patch for blocking buffer overflow based attacks massimo () IAC RM CNR IT (Mar 10)
    - ICQ remote DoS Philip Stoev (Mar 10)

(Thread continues...)