BugTraq
possible open relay hole in qmail-smtpd-auth patch Jul 15 2003 04:36PM
John Simpson (jms1 jms1 net) (2 replies)
Re: possible open relay hole in qmail-smtpd-auth patch Jul 16 2003 11:54AM
Uwe Ohse (uwe ohse de) (1 replies)
Re: possible open relay hole in qmail-smtpd-auth patch Jul 16 2003 08:48PM
Valdis Kletnieks vt edu (1 replies)
Re: possible open relay hole in qmail-smtpd-auth patch Jul 17 2003 12:12PM
Uwe Ohse (uwe ohse de)
Re: possible open relay hole in qmail-smtpd-auth patch Jul 16 2003 01:09AM
Jonathan de Boyne Pollard (J deBoynePollard tesco net)
JS> i have written a revision to the qmail-smtpd-auth patch
JS> which compensates for this common error by not supporting
JS> the AUTH command unless all three command line arguments
JS> are present.

You've no guarantee that 3 is the correct number. An administrator might
decide to use

qmail-smtpd domain checkpassword /bin/echo Hello there.

rather than

qmail-smtpd domain checkpassword /bin/true

for example, just for the heck of it.

If you are about to assert that "The number of arguments is always going to be
exactly 3 because 'checkpassword' is always going to be given just the one
argument, '/bin/true'.", then I suggest that you consider taking that fact
into account in the design of your modified patch, and eliminate the scope for
variation in something that you are asserting is in fact intended to be
constant.

[ reply ]
 

Privacy Statement
Copyright 2010, SecurityFocus