Hi!
Yes it is true! It works, with a small change in the example to match the
string in my script (I had to customize it initially).
A quick workaround that I have just applied is to make sure that the
string does not contain /sendmail/ so it cannot be injected into syslog
via sendmail (may be injected some other way!).
Hope this helps while, a better solution is suggested.
Regards,
Ramon.
On Tue, 3 Jul 2001, Andrea Barisani wrote:
> Hi to all,
>
[...]
>
> The syslog string searched by the script is in this form for the qpop
> server
>
> /POP login by user \"[\-\_\w]+\" at \(.+\) ([0-9]\.]+)/)
>
> On some cobalt raq3 servers (with the poprelayd add-on packet installed )
> and in general on any system running the poprelayd script with sendmail is
> possible to "inject" this string in the syslog using sendmail logging. So
> anyone can insert a fake string with his own IP wich will be parsed by
> poprelayd and that will permit the use of sendmail as a relay.
>
[...]
-----------------------------------------------------------------------------
CIMAT Ramon Reyes Carrion
Apdo. Postal 402 e-mail:ramonat_private
36000 Guanajuato, Gto. Tel (52) (473) 27155 Ext 49571
MEXICO Fax (52) (473) 25749.
http://www.cimat.mx/
This archive was generated by hypermail 2b30 : Fri Jul 06 2001 - 11:36:14 PDT