Bugtraq mailing list archives
Re: Nasty hole in postifx/procmail/cyrus
From: guenther () GAC EDU (Philip Guenther)
Date: Sun, 2 Jul 2000 20:04:04 -0500
Dylan Griffiths <Dylan_G () BIGFOOT COM> writes:
Secure Postfix+Procmail+Cyrus micro-howto This is should be secure, as $1, $2, etc, are not trusted nor read. Postfix parses the user () domain dom part for us, and feeds USER= and EXTENSION= lines to procmail, which works on those variables only
How is it more secure to pass the values as variable assignments on the command line instead of as $1, $2, etc? The error is in how the variables are used, not what they are named.
The entry in master.cf for procmail to be used as a mailbox_transport: procmail unix - n n - - pipe flags=R user=cyrus argv=/usr/bin/procmail -p \ /home/cyrus/procmail.common \ USER=${user} EXTENSION=${extension}
Does postfix check $(user) and $(extension) for evil characters (including whitespace) before passing them to procmail? Does it require $(user) to be an actual username? If not the latter, you're still open to the ../../etc/passwd hack, and if not the former then your recipes still allow remote attackers to change the arguments passed to deliver. Procmail's variable expansion style was derived from the shells, and therefore suffers all its defects. If you haven't sanitised it, _must_ double-quote untrusted data to prevent filename globbing and word breaking. ...
INCLUDERC=/home/cyrus/procmail.$USER
Did you check USER for /s and ..s? ...
# If this fails, it tries without the extension :0w | $DELIVERMAIL -a $USER -e -q -m $EXTENSION $USER
What if EXTENSION or USER contains whitespace or a '*'? What if EXTENSION is *empty* (Whoops, you just passed $USER to the -m flag. I hope that didn't hurt). # Only call deliver with an extension if we were passed a # non-empty one :0 w * EXTENSION ?? . | $DELIVERMAIL -a "$USER" -e -q -m "$EXTENSION" -- "$USER" (Do you really want the -q flag here? You might as well turn off quotas if you do.)
# If this fails, it returns error! :0w | $DELIVERMAIL -a $USER -e -q $USER
Likewise: :0 w | $DELIVERMAIL -a "$USER" -e -q -- "$USER" Philip Guenther
Current thread:
- Nasty hole in postifx/procmail/cyrus John Pettitt (Jun 30)
- Posting vulnerabilities Alfred Huger (Jun 30)
- Re: Nasty hole in postifx/procmail/cyrus Dylan Griffiths (Jul 01)
- Re: Nasty hole in postifx/procmail/cyrus Philip Guenther (Jul 02)
- Re: Nasty hole in postifx/procmail/cyrus Philip Guenther (Jul 02)
- <Possible follow-ups>
- Re: Nasty hole in postifx/procmail/cyrus Dylan Griffiths (Jul 04)
- Re: Nasty hole in postifx/procmail/cyrus Philip Guenther (Jul 06)
- Re: Nasty hole in postifx/procmail/cyrus Dylan Griffiths (Jul 04)
- Re: Nasty hole in postifx/procmail/cyrus Dylan Griffiths (Jul 14)