[17056] in bugtraq
Re: Pegasus mail file reading vulnerability
daemon@ATHENA.MIT.EDU (Nick FitzGerald)
Wed Oct 4 19:29:24 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7BIT
Message-Id: <200010041956.IAA06872@fep4-orange.clear.net.nz>
Date: Thu, 5 Oct 2000 08:54:16 +1200
Reply-To: nick@virus-l.demon.co.uk
From: Nick FitzGerald <nick@VIRUS-L.DEMON.CO.UK>
X-To: alpinista@BIGFOOT.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200010041434.KAA08069@rowlf.vtio.org>
George Bakos wrote in Bugtraq:
> The temporary fix stated by Mr. Ghory affords only a brief dialog
> flash. Not a very good fix. A better one is to NOT configure
> Pegasus to be the default mailer for IE. This is, unfortunately a
> user specified option at install time, not the default. Also, queuing
> of outgoing mail allows for pre-delivery review. A pain, but until
> David supplies a fix, this is it.
Queing and reviewing would work, but only for those users motivated
enough to do it (i.e. about 0.001% of the userbase... 8-) ).
> Be aware, the -F switch will only include a file in the body of a
> message; it will NOT attach a binary. The -B switch will
> accomplish this from the commandline, but not via IE. It seems
> this is more of an IE mailto: implementation issue more than a
> Pmail one. I wonder how many other apps you can pass
> commandline options to by exploiting this "feature".
As David said in his response to the list, this is a generic threat
for any mailer (or other "external" handler of other URL types) that
has a cmdline interface (the presence of which was one of the things
I always liked in PMail compared to many of its "rivals").
If looking for a "quick fix", and given few users probably depend on
the "-f" and "-b" cmdline features, this seems like a classic case
for deploying a wrapper that passes through only the "safe" (or
better, have it user configurable and pass through only the
"allowed") switches. I don't know what David's deployment time on
such a wrapper would be, relative to him accelerating development of
the other glue code he is already working on...
Regards,
Nick FitzGerald
