[exim-dev] potential exploitation vector

トップ ページ
このメッセージを削除
このメッセージに返信
著者: Yuri Arabadji
日付:  
To: Exim-dev
題目: [exim-dev] potential exploitation vector
Hi, devs.

A quick question to exim developers.

How is it possible that exim invokes something with superuser privileges and
that something is fed with user data?

I'm talking about things like encoding translations that happen when accessing
variables in system filter - iconv family of functions, for example. And hey,
why are we invoking system filter with euid 0 at all?! Is there any strong
reason of doing that or am I getting the code incorrectly?

Thank you.

--
Best regards,
Yuri Arabadji -- System Engineer