| if you are using Exim with Dovecot's Local Delivery Agent, your setup can
| contain a security problem. The use_shell is insecure.
|
| FYI:
| https://www.redteam-pentesting.de/de/advisories/rt-sa-2013-001/-exim-with-dovecot-typical-misconfiguration-leads-to-remote-command-execution
Everyone should note that this risk is not exclusive to using Dovecot
this way. *Any* Exim configuration that sets 'use_shell' on a command
line that include $original_local_part or $sender_address or the like is
vulnerable to the same general issue; the local part of a remote address
can be controlled by the attacker and can be hacked to include shell
meta-characters.
(I feel that any use of use_shell should be a large danger sign and is
almost always a mistake. If you need things enabled by use_shell, the
better solution is to put them in a shell script and have Exim run the
shell script without use_shell.)
- cks
