Re: Pegasus mail file reading vulnerability

[Nick FitzGerald <nick () virus-l demon co uk>]

George Bakos wrote in Bugtraq:

> The temporary fix stated by Mr. Ghory affords only a brief dialog
> flash.  Not a very good fix.  A better one is to NOT configure
> Pegasus to be the default mailer for IE.  This is, unfortunately a
> user specified option at install time, not the default.  Also, queuing
> of outgoing mail allows for pre-delivery review.  A pain, but until
> David supplies a fix, this is it.

Queing and reviewing would work, but only for those users motivated
enough to do it (i.e. about 0.001% of the userbase...  8-) ).

> Be aware, the -F switch will only include a file in the body of a
> message; it will NOT attach a binary.  The -B switch will
> accomplish this from the commandline, but not via IE.  It seems
> this is more of an IE mailto: implementation issue more than a
> Pmail one.  I wonder how many other apps you can pass
> commandline options to by exploiting this "feature".

As David said in his response to the list, this is a generic threat
for any mailer (or other "external" handler of other URL types) that
has a cmdline interface (the presence of which was one of the things
I always liked in PMail compared to many of its "rivals").

If looking for a "quick fix", and given few users probably depend on
the "-f" and "-b" cmdline features, this seems like a classic case
for deploying a wrapper that passes through only the "safe" (or
better, have it user configurable and pass through only the
"allowed") switches.  I don't know what David's deployment time on
such a wrapper would be, relative to him accelerating development of
the other glue code he is already working on...


Regards,

Nick FitzGerald