Bugtraq mailing list archives
Re: mail Reply-To field exploit
From: Thomas Roessler <roessler () DOES-NOT-EXIST ORG>
Date: Mon, 6 Nov 2000 12:23:20 +0100
On 2000-11-05 21:56:17 +0000, gregory duchemin wrote:
Note: It's NOT A BUG in mail, sendmail or mail.local but a weakness caused by a bindly rfc compliance. I didn't try elm, mailx and others so feedback are welcomed
No, it's not a weakness caused by blind rfc compliance, but a deliberate decision by those who wrote mailx. You can - easily - write MUAs which don't fall for shell meta characters in addresses. You just have to avoid using popen(3), and generally avoid the shell when passing things to other programs. Actually, mailx gets this partially right by using execvp to pass arguments to sendmail. However, please have a look at the following comment in front of the outof() routine in mailx' names.c module, and at the code in that routine: 216 /* 217 * For each recipient in the passed name list with a / 218 * in the name, append the message to the end of the named file 219 * and remove him from the recipient list. 220 * 221 * Recipients whose name begins with | are piped through the given 222 * program and removed. 223 */ 224 struct name * 225 outof(names, fo, hp) 226 struct name *names; 227 FILE *fo; 228 struct header *hp; (YMMV with respect to line numbers; I'm currently looking at Debian's version of mailx-8.1.1.) -- Thomas Roessler <roessler () does-not-exist org>
Current thread:
- mail Reply-To field exploit gregory duchemin (Nov 06)
- Re: mail Reply-To field exploit Thomas Roessler (Nov 07)