On 2013-05-06 at 14:43 -0400, Chris Siebenmann wrote:
> Everyone should note that this risk is not exclusive to using Dovecot
> this way. *Any* Exim configuration that sets 'use_shell' on a command
> line that include $original_local_part or $sender_address or the like is
> vulnerable to the same general issue; the local part of a remote address
> can be controlled by the attacker and can be hacked to include shell
> meta-characters.
This includes $h_* variables for looking at message headers, where
there's even more flexibility for the attacker.
> (I feel that any use of use_shell should be a large danger sign and is
> almost always a mistake. If you need things enabled by use_shell, the
> better solution is to put them in a shell script and have Exim run the
> shell script without use_shell.)
The "Security considerations" chapter of The Exim Specification did not
call out the danger here, even though it was stated around the use_shell
definition, so I added a new section to the chapter.
http://git.exim.org/exim.git/commitdiff/5336c0d9bbf5de9a948c168de692a092e557d8b6
Feedback welcome.
-Phil
