Bug#697057: Arbitrary arguments can be passed to spfquery, bypassing SPF validation
Andreas Metzler
ametzler at downhill.at.eu.org
Tue Jan 1 14:23:55 UTC 2013
On 2012-12-31 Lekensteyn <lekensteyn at gmail.com> wrote:
> Package: exim4-config
> Version: 4.72-6+squeeze3
> Tags: security
> In setting up exim4 I have been considering to enable SPF validation. To do
> so, I had to install the following packages:
> - exim4-daemon-light (default)
> - spf-tools-perl
[...]
> Conclusion:
> Random arguments can be passed to the spfquery command as shown above. Or,
> putting it differently, SPF validation can be bypassed in exim using a
> specially crafted MAIL FROM value. Possible solutions include:
> - Validate the sender, ensuring that quote characters cannot occur as this
> breaks the ${run} configuration. One has to check if this is in violation of
> SMTP (RFC5321) [1].
> - Make ${run} split program arguments first and then expand variables while
> keeping the arguments order. This would require help from upstream.
[...]
Doesn't ${quote: ...} help here? - A quick test with the attached
patch sems to suggest it does. - Could you verify this?
thanks, cu andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
-------------- next part --------------
A non-text attachment was scrubbed...
Name: quoteit.diff
Type: text/x-diff
Size: 749 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-exim4-maintainers/attachments/20130101/dd24c81a/attachment.diff>
More information about the Pkg-exim4-maintainers
mailing list