On 2000-03-13 14:31:23 -0000, Maurycy Prodeus wrote:
> Mail agent programs like: standard ;P 'mail' from
> Berkeley Distribution or mutt, elm perhaps other :),
> use sendmail arguments to put email adress where luser
> wants to send mail. It's similar problem to crontab's
> or lpd's bugs. Example: if you put line with Reply-To:
> -X /dev/hda1 ;P or something like that :> to mail
> message and luser ( in this case root ) stupid pushes
> OK,OK,OK :) ( ofz he'd want to reply ) it may
> write/destroy file ( /dev/hda1 :] ). I know it isn't
> good example but I only wanted to show idea...
This does NOT work against mutt:
(1) We use execv to start sendmail from within mutt, so no
shell parsing is involved.
(2) We explicitly tell sendmail to stop option processing
(giving the "--" command line parameter) _before_ we
start throwing externally-supplied e-mail addresses at
it.
Please make sure you verify your claims about security
problems _before_ publishing them in public.
--
http://www.mutt.org/
