[exim-dev] potential exploitation vector

Páxina inicial
Borrar esta mensaxe
Responder a esta mensaxe
Autor: Yuri Arabadji
Data:  
Para: Exim-dev
Asunto: [exim-dev] potential exploitation vector
Hi, devs.

A quick question to exim developers.

How is it possible that exim invokes something with superuser privileges and
that something is fed with user data?

I'm talking about things like encoding translations that happen when accessing
variables in system filter - iconv family of functions, for example. And hey,
why are we invoking system filter with euid 0 at all?! Is there any strong
reason of doing that or am I getting the code incorrectly?

Thank you.

--
Best regards,
Yuri Arabadji -- System Engineer