Security hole(?) in Siesta::Send::Sendmail::send()

[prev] [thread] [next] [lurker] [Date index for 2003/10/16]

From: Ilya Martynov
Subject: Security hole(?) in Siesta::Send::Sendmail::send()
Date: 17:14 on 16 Oct 2003

I suspect there is a serious security hole in

Source code:

sub send {

    my $from = $args{'from'} || $message->from;
    my $to   = $args{'to'}   || ( $message->to )[0];
    my @to   = ref $to eq 'ARRAY' ? @$to : ( $to );


    while (my @local = splice @to, 0, $sendmail_limit) {
        local *SENDMAIL;
        open SENDMAIL, "|/usr/sbin/sendmail -oi -f $from " . join( ' ', @local )
          or die "couldn't fork sendmail $!";


    return 1;

Looks like sendmail command line is being constructed using untrusted
input (i.e. From and/or To field from $message). Using carefully
constructed From or To field it seems it is possible to inject
arbitrary shell command in this command line.

Simple fix is just escape what needs to be escaped with quotemeta.

Ilya Martynov,
Quality Perl Programming and Unix Support
UK managed @ offshore prices -
Personal website -

Generated at 13:56 on 01 Jul 2004 by mariachi 0.52