ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #259 [ok, how about another sendmail hole?] (1 message, 619 bytes)
NOTICE: securitydigest.org recognises the rights of all third-party works.
START OF DOCUMENT
From: "Stuart Levy" <email@example.com>
Date: Tue 17:20:48 15/11/1988 EST
Subject: ok, how about another sendmail hole?
References: [Thread Prev: 258] [Thread Next: 267] [Message Prev: 256] [Message Next: 257]
I'm wondering whether disabling the "debug" command is really sufficient to close the mailing-to-programs security hole. We've had sendmail hang because a user happened accidentally to send a msg with some control characters in the "To:" address. Sendmail (5.58 anyway) didn't filter them out before it scanned the address. Some of the control chars were the same ones which sendmail uses internally as special markers (e.g. $+) during parsing. So I'm wondering if one could construct a To: address with stuff like ^V, ^W, ^X embedded so that sendmail ends up passing it to the "program" mailer, say. It may be that the normal test for program-mailer use during an SMTP session would block this from making any headway.
END OF DOCUMENT
|ISSN 1742-948X 01 (Online) | 2005/03/01 | Copyright 2002-2008 securitydigest.org. All rights reserved.|