Bugtraq mailing list archives
Re: Nasty hole in postifx/procmail/cyrus
From: Dylan_G () BIGFOOT COM (Dylan Griffiths)
Date: Tue, 4 Jul 2000 17:27:18 -0600
procmail unix - n n - - pipe flags=R user=cyrus argv=/usr/bin/procmail -p \ /home/cyrus/procmail.common \ USER=${user} EXTENSION=${extension}In my opinion, the bug is for procmail to execute commands in per-recipient files when running with someone elses privileges. The pipe transport DOES NOT filter $name expansions, because the command is not executed by a shell. This is described in the pipe(8) manual page. The local delivery agent DOES filter $name expansions, because the command is often executed by a shell. The filter is under control by the $command_expansion_filter configuration parameter. This is described in the local(8) manual page. This applies to any external command executed by the local delivery agent, including mailbox_command. Wietse
So postfix does support the neccesary filtering required to sanitize the variables passed to procmail. If Postfix is properly setup, Procmail would not be vulnerable to the originally described hole.
Current thread:
- Nasty hole in postifx/procmail/cyrus John Pettitt (Jun 30)
- Posting vulnerabilities Alfred Huger (Jun 30)
- Re: Nasty hole in postifx/procmail/cyrus Dylan Griffiths (Jul 01)
- Re: Nasty hole in postifx/procmail/cyrus Philip Guenther (Jul 02)
- Re: Nasty hole in postifx/procmail/cyrus Philip Guenther (Jul 02)
- <Possible follow-ups>
- Re: Nasty hole in postifx/procmail/cyrus Dylan Griffiths (Jul 04)
- Re: Nasty hole in postifx/procmail/cyrus Philip Guenther (Jul 06)
- Re: Nasty hole in postifx/procmail/cyrus Dylan Griffiths (Jul 04)
- Re: Nasty hole in postifx/procmail/cyrus Dylan Griffiths (Jul 14)