Hi Denis,
> I suspect the exploit goes something like this:
>
> exim calls perl routine(s) which calls external programs. Malicious
> user manipulates the search path etc so malicious user's external
> program(s) are called instead of the system versions. This is all
> done as a privileged user, so malicious user now has a shell running
> as that privileged user. Your system will shortly become toast...
There is no mention of perl_startup in any Exim configuration file.
${perl{...... is never used.
The danger appears to be from within Perl, as shown in Chapter 12.
my $lp = Exim::expand_string('$local_part');
It would be nice if Exim refused sub-routine calls as shown in the above
example. Perhaps a new configuration parameter
perl_allow_subroutines = NO ?
Thus
keep_environment =
promotes safety ?
Thank you.
--
Regards,
Paul.
England, EU. England's place is in the European Union.
