tellme at oliver-block
Oct 21, 2009, 6:20 AM
Post #1 of 2
(289 views)
Permalink
|
Hello everyone,
these days you can read dozens of articles that implicitely claim that
the following code will produce more than one mail message at a time if
used by a malicous user.
I doubt that it is true, but I'd like to ask here, because you know your
mta better than I. The c code to access sendmail is the following:
...
errno = 0;
sendmail = popen(sendmail_cmd, "w");
if (sendmail) {
...
fprintf(sendmail, "To: %s\n", to);
fprintf(sendmail, "Subject: %s\n", subject);
if (hdr != NULL) {
fprintf(sendmail, "%s\n", hdr);
}
fprintf(sendmail, "\n%s\n", message);
ret = pclose(sendmail);
...
Let's assume that a pipe has been opened successfuly to sendmail
(qmail-inject).
Now some say that if content of hdr can be manipulated in a way that it
contains something like the following would make sendmail (and other
mtas) to produce *two* messages (because of the dot which indeed is an
indicator of the end of a message for SMTP in RFC2821). But if I am
right, we do not "talk" SMTP here.
In their imagination the content could be e.g.
To: someone[at]somewhere
Subject: inquiry
From: fake[at]addresse
To: spam[at]opfer.de
BCC: spam[at]opfer2.de, spam[at]opfer3.de, spam[at]opfer999.de
Subject: Buy cheap Viagra!
Buy cheap Viagra and Vicodine here: http://spamsite.com/
.
[headers for message 2]
Hallo,
habe eine Frage.
.
I am not asking about the possibility of multiple copies caused by the
Bcc header field, but only, if a single dot in one line followed by CRLF
or LF will make sendmail to send two different messages.
Has sendmail ever been prone to that in earlier versions ?
BTW: I think it is important to be security aware and I do not want to
ridicule concerns regarding secure software and also not those who
publish that.
Best regards,
Oliver Block
|
