[exim-dev] potential exploitation vector

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Yuri Arabadji
Datum:  
To: Exim-dev
Betreff: [exim-dev] potential exploitation vector
Hi, devs.

A quick question to exim developers.

How is it possible that exim invokes something with superuser privileges and
that something is fed with user data?

I'm talking about things like encoding translations that happen when accessing
variables in system filter - iconv family of functions, for example. And hey,
why are we invoking system filter with euid 0 at all?! Is there any strong
reason of doing that or am I getting the code incorrectly?

Thank you.

--
Best regards,
Yuri Arabadji -- System Engineer