[15640] in bugtraq
Re: Nasty hole in postifx/procmail/cyrus
daemon@ATHENA.MIT.EDU (Dylan Griffiths)
Wed Jul 5 19:41:21 2000
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <396272D6.AD805F8@bigfoot.com>
Date: Tue, 4 Jul 2000 17:27:18 -0600
Reply-To: Dylan Griffiths <Dylan_G@BIGFOOT.COM>
From: Dylan Griffiths <Dylan_G@BIGFOOT.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
> >procmail unix - n n - - pipe
> > flags=R user=cyrus argv=/usr/bin/procmail -p \
> > /home/cyrus/procmail.common \
> > USER=${user} EXTENSION=${extension}
>
>In my opinion, the bug is for procmail to execute commands in
>per-recipient files when running with someone elses privileges.
>
>The pipe transport DOES NOT filter $name expansions, because the
>command is not executed by a shell. This is described in the pipe(8)
>manual page.
>
>The local delivery agent DOES filter $name expansions, because the
>command is often executed by a shell. The filter is under control
>by the $command_expansion_filter configuration parameter. This is
>described in the local(8) manual page. This applies to any external
>command executed by the local delivery agent, including mailbox_command.
>
> Wietse
So postfix does support the neccesary filtering required to sanitize the
variables passed to procmail. If Postfix is properly setup, Procmail would
not be vulnerable to the originally described hole.
