[exim] ATTN: Re: CVE-2019-10149: already vulnerable ?

Top Page
Delete this message
Reply to this message
Author: Cyborg
Date:  
To: exim-users
Subject: [exim] ATTN: Re: CVE-2019-10149: already vulnerable ?
Am 23.06.19 um 21:02 schrieb Jeremy Harris via Exim-users:
>
>   deny  local_parts = \N ^.*$ : ^.*\\x24 : ^.*\\0?44 \N
>         message = no mate

>
> Thie is perhaps over-broad - a dollar sign in a local-part
> is strictly legitimate per the standards. However, it's
> not something most strictly-Ascii sites would be wanting to
> use, I suspect.


Anyone who used this restricted chars patch:

  deny    message       = Restricted characters in address
          domains       = +local_domains
          local_parts   = ^[.] : ^.*[\$@%!/|]

Should add Jeremy's version as an addition to the old one, because tests
have shown that
attackers can substitute $ with \x24 .

We are not aware of any exploit succeeding to circumvent the patched
restricted chars rule, but better be safe than sorry!


best regards,
Marius