Timo Sirainen writes:
Although I don't use it, it's plausible the checkpassword hook is also
vulnerable
via the MASTER_USER environment variable:
http://wiki2.dovecot.org/AuthDatabase/CheckPassword
This is one possibility, and it's the worst one because it could happen
before login.
On 26 Sep 2014, at 11:46, Joseph Tam wrote:
> On Fri, 26 Sep 2014, Stephan Bosch wrote:
>
>> I don't see much of an attack vector there either. However, there are
>> some people that have wrapped /usr/sbin/sendmail in a shell script to
>> achieve some sort of custom messaging behavior. Those wou
On Fri, 26 Sep 2014, Stephan Bosch wrote:
I don't see much of an attack vector there either. However, there are
some people that have wrapped /usr/sbin/sendmail in a shell script to
achieve some sort of custom messaging behavior. Those would be vulnerable.
Another possibility for trouble would
On 9/26/2014 6:29 AM, Philipp wrote:
> Am 26.09.2014 02:59 schrieb Joseph Tam:
>> Since dovecot passes values via environment variables based on
>> user input (e.g. username, password, mailbox?) to auxilliary
>> executables (including possibly bash shell scripts), is dovecot
>> vulnerable to this e
Am 26.09.2014 02:59 schrieb Joseph Tam:
Since dovecot passes values via environment variables based on
user input (e.g. username, password, mailbox?) to auxilliary
executables (including possibly bash shell scripts), is dovecot
vulnerable to this exploit?
Given this article about how e.g. PHP c
I'm right now handling this beach-ball sized grenade, and trying to
figure out which of our services need to be locked down right away.
Since dovecot passes values via environment variables based on
user input (e.g. username, password, mailbox?) to auxilliary
executables (including possibly bash
