lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <3F14A5BA.1982DBAE@tesco.net>
Date: Wed, 16 Jul 2003 02:09:14 +0100
From: Jonathan de Boyne Pollard <J.deBoynePollard@...co.net>
To: qmail@...t.cr.yp.to
Cc: bugtraq@...urityfocus.com
Subject: Re: possible open relay hole in qmail-smtpd-auth patch


JS> i have written a revision to the qmail-smtpd-auth patch 
JS> which compensates for this common error by not supporting 
JS> the AUTH command unless all three command line arguments 
JS> are present.

You've no guarantee that 3 is the correct number.  An administrator might
decide to use

	qmail-smtpd domain checkpassword /bin/echo Hello there.

rather than

	qmail-smtpd domain checkpassword /bin/true

for example, just for the heck of it.

If you are about to assert that "The number of arguments is always going to be
exactly 3 because 'checkpassword' is always going to be given just the one
argument, '/bin/true'.", then I suggest that you consider taking that fact
into account in the design of your modified patch, and eliminate the scope for
variation in something that you are asserting is in fact intended to be
constant.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ