The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #259 [ok, how about another sendmail hole?] (1 message, 619 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/259.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

From: "Stuart Levy" <slevy@uc.msc.umn.edu>
To: phage
Date: Tue 17:20:48 15/11/1988 EST
Subject: ok, how about another sendmail hole?
References: [Thread Prev: 258] [Thread Next: 267] [Message Prev: 256] [Message Next: 257]

I'm wondering whether disabling the "debug" command is really sufficient
to close the mailing-to-programs security hole.

We've had sendmail hang because a user happened accidentally to send a msg
with some control characters in the "To:" address.  Sendmail (5.58 anyway)
didn't filter them out before it scanned the address.  Some of the control
chars were the same ones which sendmail uses internally as special markers
(e.g. $+) during parsing.

So I'm wondering if one could construct a To: address with stuff like
^V, ^W, ^X embedded so that sendmail ends up passing it to the "program"
mailer, say.  It may be that the normal test for program-mailer use
during an SMTP session would block this from making any headway.

END OF DOCUMENT