 | ||||||
| << Previous | INDEX | Search | src | Set bookmark | Go to bookmark | Next >> |
| ||||||
| |||||||||||||||||||||
Date: Tue, 19 Jan 1999 14:02:12 -0800 From: Steve VanDevender <stevev@HEXADECIMAL.UOREGON.EDU> To: BUGTRAQ@NETSPACE.ORG Subject: Re: Sendmail 8.8.x/8.9.x bugware Michal Zalewski writes: > On Mon, 18 Jan 1999, Olaf Seibert wrote: > > > 550 <rhialto@hacker.some.place.else@victim.some.where>... Relaying denied > > As you noticed, relaying is denied in your configuration ;P This attack is > possible if relaying is enabled, and it allows multiple redirections > trough protected or external networks, which shouldn't be allowed. > > For clearance - this problem IS PRESENT FOR SURE in 8.9.2, as well as DoS > attack described in previous mail... If Sendmail developers don't believe > me, I can post an exploit here, but iyt isn't really necessary, imho.... If you configure unrestricted relaying in sendmail 8.9, then you've done something stupid anyway (and overridden the default behavior). You claim that this will fix the problem: > Simple fix - in /etc/sendmail.cf, at the top of ruleset 98, insert > following line: > R$*@$*@$* $#error $@ 5.7.1 $: "551 Sorry, no redirections." Unfortunately RFC 822 (and its followups) specify two kinds of problematic accepted address formats: user%host@relay @relay:user@host which both indicate that mail to user@host should be redirected through relay (which may actually be a sequence of relays, i.e. user%host%relay2@relay1 or @relay1,relay2:user@host). Your "fix" would break at least the second format. In any case, I can't perform the redirection that you claim is possible in sendmail 8.9.2 configured with FEATURE(access_db); I get the expected "550 Relaying denied" in a RCPT containing two '@'s where the relaying would be through a domain not permitted in the access file. Are you claiming this is possible in 8.9.2's default configuration (which still limits relaying)?
| |||||||||||||||||||||
|
|