[Users] That won't work.
claws at dragony.name
claws at dragony.name
Sun Oct 11 21:59:12 CEST 2020
>BTW, I tried to send an email to myself with a quoted naughty command
>appended to the address. It failed with an SMTP error without reaching
>even my ISP - ** error occurred on SMTP session
>*** Error occurred while sending the message:
>501 ... malformed address ...
>
>If anybody thinks they could send me such a malformed address, please
>do so. Please cc me as well so I can see you tried. (I'd rather you
>didn't use an actual rm command just in case you succeed :)
Try packing the naughty command in the name so you don't violate the RFC.
To: You <legit at address.com>, "Mr. Han';touch /tmp/boom;'" <whatever at you.name>
The exact magic chars needed depend on the claws code. Maybe claws uses system("") or system('') or system(string). I haven't checked the claws code, I am just a simple claws user. :(
- Dragony
More information about the Users
mailing list