lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 12 Feb 2004 20:56:09 +0100
From: Marco van Berkum <>
Subject: Symlink vulnerabilities in mailmgr

Title          : Symlink vulnerabilities in mailmgr
Bug finder     : Marco van Berkum (
Website        :
URL to mailmgr :
Tested version : Mailmgr-1.2.3
Date           : 12 Feb 2004

About mailmgr
Mailmgr is a Sendmail Analysis Report Generator that can be used to 
create HTML reports.

High when mailmgr is executed as root, root owned files can then be 

Problem description
By default mailmgr uses predictable temporary filenames placed in /tmp, 
which allows local users to launch a  symlinkattack to overwrite files 
owned by users or superusers that run mailmgr to generate mailreports. 

By default these are the temporary filenames:


Simply create a symlink in /tmp to any file you wish to overwrite, for 

/tmp/mailmgr.unsort -> /file/you/whish/to/corrupt

When the user (could be root) executes mailmgr the targetfile will be 

Use the temporary_dir directive in /usr/local/etc/mailmgr.conf to point 
to a directory that does not have a sticky bit set.

Powered by blists - more mailing lists