[exim-dev] potential exploitation vector

Top Page
Delete this message
Reply to this message
Author: Yuri Arabadji
Date:  
To: Exim-dev
Subject: [exim-dev] potential exploitation vector
Hi, devs.

A quick question to exim developers.

How is it possible that exim invokes something with superuser privileges and
that something is fed with user data?

I'm talking about things like encoding translations that happen when accessing
variables in system filter - iconv family of functions, for example. And hey,
why are we invoking system filter with euid 0 at all?! Is there any strong
reason of doing that or am I getting the code incorrectly?

Thank you.

--
Best regards,
Yuri Arabadji -- System Engineer