Bugtraq mailing list archives
Re: sperl 5.00503 (and newer ;) exploit
From: Thomas Roessler <roessler () DOES-NOT-EXIST ORG>
Date: Thu, 10 Aug 2000 09:33:06 +0200
On 2000-08-08 14:27:03 -0400, Greg A. Woods wrote:
I've been rather dismayed by the number of people posting patches which claim to "fix" mailx, aka BSD Mail. One could contend that it's not even broken in the first place!
Indeed. The fact that input to mailx (or to mailx mimicking /bin/mail) should be sanitized can be assumed to be well-known since - at least! - the days of CNews, which has some code to that avail in the scripts sending mail messages to administrators. Failure to do so is plainly the fault of the calling application, and should not be taken as a reason for removing traditional and well-established behaviour. Just as well, the fact that the environment should be sanitized in a white-list approach before calling external programs from programs running setuid (and passing privileges to these external programs!) has been well-known for ages. Not following this guideline is plainly the fault of the calling application. -- Thomas Roessler <roessler () does-not-exist org>
Current thread:
- sperl 5.00503 (and newer ;) exploit Michal Zalewski (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Michal Zalewski (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Olaf Kirch (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Joey Hess (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Pixel (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Francis J. Lacoste (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Greg A. Woods (Aug 09)
- Re: sperl 5.00503 (and newer ;) exploit Thomas Roessler (Aug 10)
- Re: sperl 5.00503 (and newer ;) exploit H. Peter Anvin (Aug 11)
- Re: sperl 5.00503 (and newer ;) exploit Olaf Kirch (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Michal Zalewski (Aug 07)
- <Possible follow-ups>
- Re: sperl 5.00503 (and newer ;) exploit Paul Rogers (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Solar Designer (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Simon Cozens (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Paul Szabo (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Matthew Kirkwood (Aug 08)
- Re: sperl 5.00503 (and newer ;) exploit Paul Szabo (Aug 08)
- Re: sperl 5.00503 (and newer ;) exploit Simon Cozens (Aug 09)
- Re: sperl 5.00503 (and newer ;) exploit Randal L. Schwartz (Aug 10)