[exim] Security reminder on email address characters

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Cyborg
CC: exim-users
Old-Topics: [exim] Infos: someone posted an none working exploit for exim
Subject: [exim] Security reminder on email address characters
Someone wrote:
>                                         On the other hand "`" is not an 
> allowed char in an emailaddress..


Not true. It's a valid character and not rejected by Exim's default
configure file.

*Any* character is valid with the double-quoted left-hand-side form, but
` does not even need that.

This is a valid, well-formed, email address:

Phil Pennock <a~`*&^%$#!_-={|}'/?b@???>

That one won't work because my Exim configure file, like many, rejects
the characters: @%!/|

So this too is a valid, well-formed email address which has the
advantage of working (at least on the receiving system):

Phil Pennock <a~`*&^$#_-={}'?b@???>

So too are these valid (and working):

<"X'); DROP TABLE domains; DROP TABLE passwords; --"@???>
<"<script>alert('Boo!')</script>"@???>

All of those are configured as aliases pointing to me (just, the first
one is blocked from being accepted by the ACLs).

-Phil