|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: procmail and formail
From: Michel Kaempf (maxx
via.ecp.fr)Date: Wed Sep 13 2000 - 08:40:16 CDT
- Next message: Mark Cooke: "pinstripe / hosts file name resolution / segvs in ping"
- Previous message: Markus Friedl: "Re: procmail and formail"
- In reply to: Fred Cohen: "procmail and formail"
- Reply: Michel Kaempf: "Re: procmail and formail"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Wed, Sep 13, 2000, Fred Cohen wrote:
> | formail -i "Subject:[test]$SUBJECT" | sendmail ...
>
> It seems to me that this will pass a remotely specified $SUBJECT
> string through an undesirable interpretation process. I have tried to
> exploit it with something like:
>
> Subject: this should `rm /tmp/testfile` delete the test file
>
> But to no avail. Is there some reason that I am missing that such
> attacks cannot work? It seems to me that there are an aweful lot of
> procmail scripts out there that could be exploited by such things.
Perhaps I am missing your point here, but I think it won't work because
of the way the shell works. The shell will not expand the SUBJECT
variable AND run the command given in backquotes. In order for this to
work, the given string should be reevaluated by the shell, either by
running a command like `eval' on it, or by running another shell script
with the SUBJECT line as an argument.
-- MaXX
- Next message: Mark Cooke: "pinstripe / hosts file name resolution / segvs in ping"
- Previous message: Markus Friedl: "Re: procmail and formail"
- In reply to: Fred Cohen: "procmail and formail"
- Reply: Michel Kaempf: "Re: procmail and formail"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]