Here's a heads up to anyone running procmail v3.11pre4.
In the procmailex man page there is an example of a simple fileserver.
The problem with the example is that after getting it working, I wanted
to see if the MAILDIR variable would isolate procmail to that directory.
The recipie in the man page sets up the fileserver so that incoming mail
with the subject: request <filename> returns the file from $HOME/fileserver.
If someone were to use this recipe, all a villain would have to send would be:
Subject: request /etc/passwd
and procmail cheerfully returns the passwd file, or any file that is
readable by the user that procmail suid's to. This could be particularly
bad if someone happened to have an infobot owned by root.
On a more practical level, an unscrupulous cad could just request
/var/mail/username and recieve the unsuspecting users mailfile.
I will leave the infinite possibilities to the creativity of the
gentle reader.
Below I have included the offending text for your perusal.
PROCMAILEX(5) PROCMAILEX(5)
:0
* !^X-Loop: yourname@your.main.mail.address
* !^Subject:.*Re:
* !^FROM_DAEMON
* ^Subject:.*request
{
MAILDIR=$HOME/fileserver # chdir to the fileserver directory
:0 h # extract the requested filename(s)
FILES=| sed -n -e 's/^Subject:.*request \(.*\)/\1/p'
:0 f # reverse the mailheader
| formail -rA "X-Loop: yourname@your.main.mail.address"
:0
| (cat; cat $FILES) | $SENDMAIL -oi -t
}
Nice network. We'll take it.
(jamie|batsy)@vapour.net
Quality by Defective Technologies