[Mimedefang] defang script using chown or chgrp
rob.macgregor at gmail.com
Tue Apr 29 02:42:36 EDT 2008
On Tue, Apr 29, 2008 at 7:32 AM, Jon Rowlan <jon.rowlan at sads.com> wrote:
> I don't understand. I have around 20 domains. Sendmail filters mails so
> that I only accept mail to these domains therefore there is no ambiguity
> or window of opportunity in $recipient (it actually only holds the
> domain portion of the recipient name by this stage). $MsgID is a unique
> name that is manufactured by sendmail. I am struggling to think of a way
> that this can be abused by a third party.
Actually, the message ID could be created by the original mail client.
Sendmail only creates it if it receives an email that's missing one.
With your setup if somebody created a message ID of, say,
"../../etc/passwd" you could find yourself in a world of hurt.
Please keep list traffic on the list.
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche
More information about the MIMEDefang