There is a small possible security hole in incoming.pl. If it is called with an argument, $user is taken in and essentially unchecked. Later in the script, files are created/opened using that variable. This can pose problems, especially if the script is called by sendmail and somehow bad data is passed to the script. As a matter of fact, when called by sendmail, setuid, the script will die with an error:
Insecure dependency in open while running setuid at /usr/lib/perl5/5.00502/i586-linux/IO/File.pm line 164
Well, there is an easy fix. Just open incoming.pl and find the line in sub get_input that reads:
($user =~ /@/) and $user =~ s/@.+$//;
Under that, add the following lines:
if ($user =~ /^([\w\.]+)$/) {
$user = $1;
} else {
die "No user specified";
}
This removes any bad characters from the username that is given to the script and untaints the variable.
Matt Hahnfeld
EverySoft