[Users] That won't work.

Dave Howorth dave at howorth.org.uk
Mon Oct 12 11:56:35 CEST 2020


On Sun, 11 Oct 2020 20:28:36 -0400
"Michael A. Yetto" <myetto at gmail.com> wrote:

> On Sun, 11 Oct 2020 21:17:37 +0200
> claws at dragony.name writes, and having writ moves on:
> 
> > >> My solution IS working in that case, but has the stated security
> > >> problems because claw seems to execute the shell script with the
> > >> parameters "the easy way".      
> > >
> > >But it's your script, and your choice. Should a bash shell prevent
> > >you from running rm -rf /* if that's your choice? Or is a bash a
> > >security risk too?    
> > 
> > The "rm -rf /*" part is not even arriving at my script, so I can't
> > do anything about it in my script. Is there really nobody here
> > seeing a security risk with |p{/your/program
> > %some_var_with_arbitrary_data} while everything in {} is being
> > passed unquoted to the shell??
> > 
> > Yes, you can say "Then don't pass parameters to your program!" but
> > calling a program without parameters is not very useful in most
> > cases. 
> 
> My suggestion is to refuse the script that you are sent by the person
> trying to break-in. That way it won't be in your path when that
> nefarious address is sent. At the very least do not mark it as
> executable.

I think you're misunderstanding the scenario. Which is that *you* have
used claws facilities to install a script that *you* have written or
obtained from elsewhere. The bad actor then sends you a mail
with specially crafted headers (either at random as part of a general
mailshot, or because they have reason to believe you use claws) and
that mail exploits the bug in claws that causes such text to be
executed. Resulting in bad things happening on *your* system.

> Mike Yetto
> --
> "Pluralitas non est ponenda sine necessitates."
>  - William of Ockham


More information about the Users mailing list