[14323] in bugtraq
Re: a few bugs ...
daemon@ATHENA.MIT.EDU (Thomas Roessler)
Fri Mar 17 02:24:09 2000
Mail-Followup-To: Maurycy Prodeus <z33d@TENET.PL>, BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Disposition: inline
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000315090714.D26334@sobolev.rhein.de>
Date: Wed, 15 Mar 2000 09:07:14 +0100
Reply-To: Thomas Roessler <roessler@MUTT.ORG>
From: Thomas Roessler <roessler@MUTT.ORG>
X-To: Maurycy Prodeus <z33d@TENET.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000313143123.9899.qmail@tenet.pl>; from z33d@TENET.PL on Mon,
Mar 13, 2000 at 02:31:23PM -0000
On 2000-03-13 14:31:23 -0000, Maurycy Prodeus wrote:
> Mail agent programs like: standard ;P 'mail' from
> Berkeley Distribution or mutt, elm perhaps other :),
> use sendmail arguments to put email adress where luser
> wants to send mail. It's similar problem to crontab's
> or lpd's bugs. Example: if you put line with Reply-To:
> -X /dev/hda1 ;P or something like that :> to mail
> message and luser ( in this case root ) stupid pushes
> OK,OK,OK :) ( ofz he'd want to reply ) it may
> write/destroy file ( /dev/hda1 :] ). I know it isn't
> good example but I only wanted to show idea...
This does NOT work against mutt:
(1) We use execv to start sendmail from within mutt, so no
shell parsing is involved.
(2) We explicitly tell sendmail to stop option processing
(giving the "--" command line parameter) _before_ we
start throwing externally-supplied e-mail addresses at
it.
Please make sure you verify your claims about security
problems _before_ publishing them in public.
--
http://www.mutt.org/
