The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #343 [FYI-- another sendmail nasty] (1 message, 631 bytes)
NOTICE: recognises the rights of all third-party works.


From: (Bruce Cole)
To: phage
Date: Tue 21:22:47 06/12/1988 EST
Subject: FYI-- another sendmail nasty
References: [Thread Prev: 340] [Thread Next: 349] [Message Prev: 342] [Message Next: 344]

If your sendmail is older than 5.57 try the following:
Open up an smtp connection to your mailer, and supply a program name with
the MAIL FROM command.  Eg: mail from:<"| /bin/rm /etc/passwd">.  Then supply
a receipient address containing an invalid host name.  Guess what is
likely to happen when the mail bounces?

This security problem STILL exists under Sun OS 4.0 and Ultrix.

PS:  How many sites running sendmail ports on machines other than vaxes and
suns have taken care of sendmail security problems?  For example, think of
all the sites which run Wollongong TCP with Berkeley sendmail version 4.12?
That distribution of sendmail also comes with debug turned on by default.