Re: [exim] CVE-2019-10149: already vulnerable ?

Top Page
Delete this message
Reply to this message
Author: Cyborg
Date:  
To: exim-users
New-Topics: [exim] Backslashes in addresses [Was: CVE-2019-10149: already vulnerable ?]
Subject: Re: [exim] CVE-2019-10149: already vulnerable ?
Am 24.06.19 um 19:55 schrieb Ian Zimmerman via Exim-users:
> On 2019-06-24 17:23, Jeremy Harris wrote:
> For instance, if I say this in the -bh dialog:
>
> RCPT TO:<it\z@???>
>
> the local part being tested, according to the >>> output, is just "itz",
> which of course ends up being accepted.
>
> I think this is a bug, do you agree?
>

try a real Escape Sequence like \x instead, as \z is no valid escape
sequence. Exim may remove those as "bugs in your regex" before
processsing it.

best regards,
Marius