[17520] in bugtraq
Re: mail Reply-To field exploit
daemon@ATHENA.MIT.EDU (Thomas Roessler)
Mon Nov 6 13:46:10 2000
Mail-Followup-To: gregory duchemin <c3rb3r@HOTMAIL.COM>,
BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-ID: <20001106122320.J28600@sobolev.does-not-exist.org>
Date: Mon, 6 Nov 2000 12:23:20 +0100
Reply-To: Thomas Roessler <roessler@DOES-NOT-EXIST.ORG>
From: Thomas Roessler <roessler@DOES-NOT-EXIST.ORG>
X-To: gregory duchemin <c3rb3r@HOTMAIL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <F282z4r02V5xm4iZrbU00009213@hotmail.com>; from
c3rb3r@HOTMAIL.COM on Sun, Nov 05, 2000 at 09:56:17PM +0000
On 2000-11-05 21:56:17 +0000, gregory duchemin wrote:
> Note: It's NOT A BUG in mail, sendmail or mail.local but a
> weakness caused by a bindly rfc compliance. I didn't try elm,
> mailx and others so feedback are welcomed
No, it's not a weakness caused by blind rfc compliance, but a
deliberate decision by those who wrote mailx.
You can - easily - write MUAs which don't fall for shell meta
characters in addresses. You just have to avoid using popen(3), and
generally avoid the shell when passing things to other programs.
Actually, mailx gets this partially right by using execvp to pass
arguments to sendmail.
However, please have a look at the following comment in front of the
outof() routine in mailx' names.c module, and at the code in that
routine:
216 /*
217 * For each recipient in the passed name list with a /
218 * in the name, append the message to the end of the named file
219 * and remove him from the recipient list.
220 *
221 * Recipients whose name begins with | are piped through the given
222 * program and removed.
223 */
224 struct name *
225 outof(names, fo, hp)
226 struct name *names;
227 FILE *fo;
228 struct header *hp;
(YMMV with respect to line numbers; I'm currently looking at
Debian's version of mailx-8.1.1.)
--
Thomas Roessler <roessler@does-not-exist.org>
