Security hole(?) in Siesta::Send::Sendmail::send()

[prev] [thread] [next] [lurker] [Date index for 2003/10/16]

From: Ilya Martynov
Subject: Security hole(?) in Siesta::Send::Sendmail::send()
Date: 17:14 on 16 Oct 2003
Hi,

I suspect there is a serious security hole in
Siesta::Send::Sendmail::send()

Source code:

sub send {
    [..snip..]

    my $from = $args{'from'} || $message->from;
    my $to   = $args{'to'}   || ( $message->to )[0];
    my @to   = ref $to eq 'ARRAY' ? @$to : ( $to );

    [..snip..]

    while (my @local = splice @to, 0, $sendmail_limit) {
        local *SENDMAIL;
        open SENDMAIL, "|/usr/sbin/sendmail -oi -f $from " . join( ' ', @local )
          or die "couldn't fork sendmail $!";

        [..snip..]
    }

    return 1;
}

Looks like sendmail command line is being constructed using untrusted
input (i.e. From and/or To field from $message). Using carefully
constructed From or To field it seems it is possible to inject
arbitrary shell command in this command line.

Simple fix is just escape what needs to be escaped with quotemeta.

-- 
Ilya Martynov,  ilya@xxxxxxx.xxx
CTO IPonWEB (UK) Ltd
Quality Perl Programming and Unix Support
UK managed @ offshore prices - http://www.iponweb.net
Personal website - http://martynov.org

Generated at 13:56 on 01 Jul 2004 by mariachi 0.52