[Mimedefang] Filesystem based greylisting URL
David F. Skoll
dfs at roaringpenguin.com
Fri Aug 27 21:30:06 EDT 2004
On Fri, 27 Aug 2004, Atanas wrote:
> http://mimedefang.asd.aplus.net
Pretty cool. However, using user-supplied data to construct
filenames worries me slightly. I can imagine an attacker
doing something like:
MAIL FROM:<foo///../../../../../../../../etc/mischief at domain.net>
I can't see any way to really exploit this, given that MIMEDefang should
be running as the "defang" user, but still... I would sanitize the incoming
e-mail addresses, or better yet, use a SHA1 hash rather than the actual
address.
--
David.
More information about the MIMEDefang
mailing list