In message <9503141505.AA26883@i3.informatik.rwth-aachen.de>,
Peter Heimann writes:
>Security patch for Majordomo version 1.93
Good point, I will make sure the patch is applied to 1.94. However, I
haven't seen a sendmail that allows To: addresses of the form:
| program
or
/foo/file
I usually get a message like:
Cannot mail directly to programs
or
Cannot mail directly to files
A simple test is:
== start file
To: | /bin/cat, /tmp/file
From: root
Subject: A test
foo
blah
== end file
then do a:
sendmail -t < foo
On my system this results in:
/tmp/file... Cannot mail directly to files
| /bin/cat... Cannot mail directly to programs
hopefully it should work the same for all sendmail varients.
>While majordomo itself is careful about checking a supplied 'from'
>address for the characters '/' and '|', the call to '&valid_addr'
>is missing in new-list and request-answer. This can make it possible
>for a malicious user to run programs or write to files.
This is needed because files and programs are valid addresses if they
are read in from an include'd file.
-- John
John Rouillard
Senior Systems Administrator IDD Information Services
rouilj@dstar.iddis.com Waltham, MA (617) 890-7227 x337
(617) 487-3937 (Direct)
Senior Systems Consultant (SERL Project) University of Massachusetts at Boston
rouilj@cs.umb.edu (preferred) Boston, MA, (617) 287-6480
===============================================================================
My employers don't acknowledge my existence much less my opinions.
References:
|
|
