1996-09-22 - Re: How to use procmail
Header Data
From: Adam Shostack <adam@homeport.org>
To: ichudov@algebra.com
Message Hash: 36ac5bd53aa11938f4f145aa1a6e627cecdf33773e4d55477f05e04231772915
Message ID: <199609221455.JAA15169@homeport.org>
Reply To: <199609220423.XAA00811@manifold.algebra.com>
UTC Datetime: 1996-09-22 16:49:24 UTC
Raw Date: Mon, 23 Sep 1996 00:49:24 +0800
Raw message
From: Adam Shostack <adam@homeport.org>
Date: Mon, 23 Sep 1996 00:49:24 +0800
To: ichudov@algebra.com
Subject: Re: How to use procmail
In-Reply-To: <199609220423.XAA00811@manifold.algebra.com>
Message-ID: <199609221455.JAA15169@homeport.org>
MIME-Version: 1.0
Content-Type: text
Igor Chudov @ home wrote:
| Adam Shostack wrote:
| > :0
| > * From bal@swissnet.ai.mit.edu
| > {
| > :0E
| > | pgp +batchmode -fka
|
| Isn't this vulnerable to "deadbeef" attacks? I can also see an attack when
| someone sends you an email with the spooofed "From " address and a user
| name that is the same (or almost the same) as that of your trusted parties.
| Then I can send you a bogus email containing a key for mrx@bogus.com
| and next time you encrypt something for your friend nrx@provider.com,
| you will actually encrypt it with the wron key. If I intercept your
| email, your message to mrx can be compromised.
Yes its vulnerable. I might see it in the logs, but I've
personally verified most of the keys I care about, and they carry my
signature, at least on my local keyring.
| > # basic file server. Only sends whats in .outbound
| > :0
| > * ^Subject: (SEND|get) [0-9a-z][-_/0-9a-z.]+$
| > * !^Subject:.*[ /.]\.
| > * !^FROM_DAEMON
| > {
| > # FILE=`formail -x Subject: | sed 's/.* //'`
| > FILE=`sed -n -e '/Subject:/s/.* //p' -e '/^$/q'`
| >
| > :0c
| > | (formail -rt -A"Precedence: junk";\
| > cat $HOME/.outbound/$FILE) | $SENDMAIL -t
|
| *If* .outbound has some subdirectories (say subdir), How about this email:
|
| From: dumbass@aol.com
| Subject: GET subdir/../../../../etc/passwd
| Reply-To: blin@algebra.com
That will fail in the second subject line:
* !^Subject:.*[ /.]\.
Subject: does not match '/' or '.' followed by '.'
The first Subject: line prevents absolute pathnames.
* ^Subject: (SEND|get) [0-9a-z][-_/0-9a-z.]+$
So, AFAIK, you can't get anything but real subdirectories. Feel free
to install it on localhost & experiment. I was pretty careful when I
wrote it to make it safe.
Adam
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
Thread
Return to September 1996
- Return to “Adam Shostack <adam@homeport.org>”
- Return to “ichudov@algebra.com (Igor Chudov @ home)”
Return to “Martin Janzen <janzen@idacom.hp.com>”
- Unknown thread root
- 1996-09-04 (Thu, 5 Sep 1996 07:47:56 +0800) - Re: How to use procmail - Martin Janzen <janzen@idacom.hp.com>
- 1996-09-05 (Thu, 5 Sep 1996 10:40:05 +0800) - Re: How to use procmail - Adam Shostack <adam@homeport.org>
- 1996-09-22 (Sun, 22 Sep 1996 15:04:11 +0800) - Re: How to use procmail - ichudov@algebra.com (Igor Chudov @ home)
- 1996-09-22 (Mon, 23 Sep 1996 00:49:24 +0800) - Re: How to use procmail - Adam Shostack <adam@homeport.org>
- 1996-09-22 (Sun, 22 Sep 1996 15:04:11 +0800) - Re: How to use procmail - ichudov@algebra.com (Igor Chudov @ home)
- 1996-09-05 (Thu, 5 Sep 1996 10:40:05 +0800) - Re: How to use procmail - Adam Shostack <adam@homeport.org>
- 1996-09-04 (Thu, 5 Sep 1996 07:47:56 +0800) - Re: How to use procmail - Martin Janzen <janzen@idacom.hp.com>