Bugtraq mailing list archives
Re: Pegasus mail file reading vulnerability
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 5 Oct 2000 08:54:16 +1200
George Bakos wrote in Bugtraq:
The temporary fix stated by Mr. Ghory affords only a brief dialog flash. Not a very good fix. A better one is to NOT configure Pegasus to be the default mailer for IE. This is, unfortunately a user specified option at install time, not the default. Also, queuing of outgoing mail allows for pre-delivery review. A pain, but until David supplies a fix, this is it.
Queing and reviewing would work, but only for those users motivated enough to do it (i.e. about 0.001% of the userbase... 8-) ).
Be aware, the -F switch will only include a file in the body of a message; it will NOT attach a binary. The -B switch will accomplish this from the commandline, but not via IE. It seems this is more of an IE mailto: implementation issue more than a Pmail one. I wonder how many other apps you can pass commandline options to by exploiting this "feature".
As David said in his response to the list, this is a generic threat for any mailer (or other "external" handler of other URL types) that has a cmdline interface (the presence of which was one of the things I always liked in PMail compared to many of its "rivals"). If looking for a "quick fix", and given few users probably depend on the "-f" and "-b" cmdline features, this seems like a classic case for deploying a wrapper that passes through only the "safe" (or better, have it user configurable and pass through only the "allowed") switches. I don't know what David's deployment time on such a wrapper would be, relative to him accelerating development of the other glue code he is already working on... Regards, Nick FitzGerald
Current thread:
- Pegasus mail file reading vulnerability Imran Ghory (Oct 03)
- Re: Pegasus mail file reading vulnerability George Bakos (Oct 04)
- Re: Pegasus mail file reading vulnerability Nick FitzGerald (Oct 04)
- <Possible follow-ups>
- Pegasus Mail file reading vulnerability Richard Stevenson (Oct 31)
- Re: Pegasus mail file reading vulnerability George Bakos (Oct 04)