Re: possible open relay hole in qmail-smtpd-auth patch

From: Jonathan de Boyne Pollard (J.deBoynePollardat_private)
Date: Tue Jul 15 2003 - 18:09:14 PDT

Next message: Talley, Brooks: "Disclosure-for-pay?"

Previous message: G00db0y: "ZH2003-10SA (security advisory): Mail System Ver. 0.9 Beta"
In reply to: John Simpson: "possible open relay hole in qmail-smtpd-auth patch"
Next in thread: Uwe Ohse: "Re: possible open relay hole in qmail-smtpd-auth patch"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

JS> i have written a revision to the qmail-smtpd-auth patch 
JS> which compensates for this common error by not supporting 
JS> the AUTH command unless all three command line arguments 
JS> are present.

You've no guarantee that 3 is the correct number.  An administrator might
decide to use

	qmail-smtpd domain checkpassword /bin/echo Hello there.

rather than

	qmail-smtpd domain checkpassword /bin/true

for example, just for the heck of it.

If you are about to assert that "The number of arguments is always going to be
exactly 3 because 'checkpassword' is always going to be given just the one
argument, '/bin/true'.", then I suggest that you consider taking that fact
into account in the design of your modified patch, and eliminate the scope for
variation in something that you are asserting is in fact intended to be
constant.

Next message: Talley, Brooks: "Disclosure-for-pay?"
Previous message: G00db0y: "ZH2003-10SA (security advisory): Mail System Ver. 0.9 Beta"
In reply to: John Simpson: "possible open relay hole in qmail-smtpd-auth patch"
Next in thread: Uwe Ohse: "Re: possible open relay hole in qmail-smtpd-auth patch"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 16 2003 - 15:09:24 PDT