[Users] That won't work.

wwp subscript at free.fr
Tue Oct 13 18:23:50 CEST 2020 

Hello Dave,


On Tue, 13 Oct 2020 16:58:57 +0100 Dave Howorth <dave at howorth.org.uk> wrote:

[snip]
> > I think that our point here is to determine if Claws Mail may execute
> > malicious commands that are placed in header values or not because of
> > the way it executes the external command and passes data to it.  
> 
> Agreed but ...
> 
> The point here made by myself, Michal and Dragony is that we have
> *already* demonstrated that fact and posted the information here to
> reproduce the problem yourself. Claws DOES execute malicious commands
> that are placed in header values because of the way it executes the
> external command and passes data to it.
> 
> To post again the information already posted upthread:
> 
> Dragony posted:
> 
> The "rm -rf /*" part is not even arriving at my script, so I can't do
> anything about it in my script. Is there really nobody here seeing a
> security risk with |p{/your/program %some_var_with_arbitrary_data}
> while everything in {} is being passed unquoted to the shell??
> 
> Dragony posted the command that he might want to use:
> 
> |p{tool.pl %to}
> 
> Dragony then gave an exact formula for the bad guy to construct a
> malicious email header:
> 
> To: You <legit at address.com>, "Mr. Han';touch /tmp/boom;'"
> 
> I then set up such a command, wrote a simple version of tool.pl that
> simply prints its arguments, and sent myself an email with the
> malicious header. My program received just one argument that did not
> include the malicious payload and meanwhile claws created /tmp/boom :(
> 
> See
> https://lists.claws-mail.org/pipermail/users/2020-October/027068.html
> 
> This is a well-known problem, so I'm quite surprised and frustrated to
> find so many people apparently not understanding it and unwilling to
> contemplate applying the equally well-known simple fix.

I'm not saying that I disagree, I perfectly understand the issue
formerly reported by our 400-identity dragony fellow ;-). Didn't have
spare time to spend on it yet even trying to reprode, not sure when.


Regards,

-- 
wwp
https://useplaintext.email/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.claws-mail.org/pipermail/users/attachments/20201013/ce64dcf3/attachment.sig>

More information about the Users mailing list