[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030716115418.GA22934@ohse.de>
Date: Wed, 16 Jul 2003 11:54:18 +0000
From: Uwe Ohse <uwe@...e.de>
To: smtpauth@...t.elysium.pl, qmail@...t.cr.yp.to, bugtraq@...urityfocus.com
Subject: Re: possible open relay hole in qmail-smtpd-auth patch
On Tue, Jul 15, 2003 at 12:36:05PM -0400, John Simpson wrote:
> the current version of the SMTP-AUTH patch contains a serious bug which can
> accidentally allow somebody who forgets one or more of the command line
> parameters to start running an open relay by accident. it has been reported
> in several places over the last week, including this message on the qmail
> mailing list:
A possible configuration problem is NOT a reason to disallow legitimate
configurations or to enforce the use of useless dummy arguments, and
unless you are going to invent some kind of artificial intelligence
inside tools or installers using checkpassword i request that you
stop this.
While the usual usage of checkpassword is something like this
tcpserver host port prog1 [args] checkpassword prog2 [args]
there is no reason why one has to call it that way. One may replace
the part starting from "checkpassword" by a wrapper (this may be
especially handy to add logging, to try more than one checkpassword
style program or when one has to use different "tcpserver...prog1"
combinations all sharing identical later commandline arguments -
i've seen this being used).
Cluttering the commandline with "dummy-argument-for-stupid-patches"
or whatever is not going to do any good, is not looking good, and
does not add any security at all.
In fact, someone stupid enough to patch qmail without understanding
the patch and stupid enough to ignore vital parts of it's
documentation (the examples, at least) is likely to be stupid
enough to change the order of checkpassword and /bin/true, too.
Are you now going to patch /bin/true to bail out in case it finds
commandline arguments?
> http://www.jms1.net/qmail/ has the modified "auth.patch" file available for
> download.
please? Are you seriously expecting that this:
+ if(argc > 2)
+ {
+ hostname = argv[1];
+ childargs = argv + 2;
+ useauth = 1;
+ }
will work?
Hint: when called "qmail-smtpd HOST CHECKPASSWORD" argc will be 3.
I'd call this a beginners mistake, but even beginners are supposed
to test their code.
> the changes i've made (actually CHECKING argc instead of assuming there will
> be something there) need to be incorporated into the qmail-smtpd-auth patch
i suggest you start "CHECKING" your code.
While i'm at it: Your qmail-1.03-jms1-antispam.patch not only violates
the SMTP protocol (replying OK when the mail will definitively not reach
the recipient) but does that in case of almost any programming or
configuration problem in the filter chain, causing shell/filters to
exit with 1.
Why the heck did you change exit code 1 from "temporary problem,
try again later" to "throw away that mail"? Why do you actually
run a smtp server if your mail is worthless?
Regards, Uwe
Powered by blists - more mailing lists