In message <9503141505.AA26883@i3.informatik.rwth-aachen.de>,
Peter Heimann writes:
>Security patch for Majordomo version 1.93
Good point, I will make sure the patch is applied to 1.94. However, I
haven't seen a sendmail that allows To: addresses of the form:
I usually get a message like:
Cannot mail directly to programs
Cannot mail directly to files
A simple test is:
== start file
To: | /bin/cat, /tmp/file
Subject: A test
== end file
then do a:
sendmail -t < foo
On my system this results in:
/tmp/file... Cannot mail directly to files
| /bin/cat... Cannot mail directly to programs
hopefully it should work the same for all sendmail varients.
>While majordomo itself is careful about checking a supplied 'from'
>address for the characters '/' and '|', the call to '&valid_addr'
>is missing in new-list and request-answer. This can make it possible
>for a malicious user to run programs or write to files.
This is needed because files and programs are valid addresses if they
are read in from an include'd file.
Senior Systems Administrator IDD Information Services
firstname.lastname@example.org Waltham, MA (617) 890-7227 x337
(617) 487-3937 (Direct)
Senior Systems Consultant (SERL Project) University of Massachusetts at Boston
email@example.com (preferred) Boston, MA, (617) 287-6480
My employers don't acknowledge my existence much less my opinions.