COMMAND

    procmail

SYSTEMS AFFECTED

    Systems running procmail v3.11pre4 (only?)

PROBLEM

    Jamie Batsy found following.  In the procmailex man page there is
    an example of a simple fileserver.

    The  recipie  in  the  man  page  sets  up  the fileserver so that
    incoming mail  with the  subject: request  <filename> returns  the
    file from $HOME/fileserver.  If  someone were to use this  recipe,
    all a villain would have to send would be:

        Subject: request /etc/passwd

    and procmail cheerfully returns the passwd file, or any file  that
    is readable  by the  user that  procmail suid's  to. This could be
    particularly bad if someone happened  to have an infobot owned  by
    root.

    On a more practical level, an unscrupulous cad could just  request
    /var/mail/username and  recieve the  unsuspecting users  mailfile.
    The infinite possibilities  to the creativity  are left to  gentle
    reader.  Below is included the offending text for your perusal.

    PROCMAILEX(5)                                       PROCMAILEX(5)

              :0
              * !^X-Loop: yourname@your.main.mail.address
              * !^Subject:.*Re:
              * !^FROM_DAEMON
              * ^Subject:.*request
              {
                MAILDIR=$HOME/fileserver   # chdir to the fileserver directory

                :0 h             # extract the requested filename(s)
                FILES=| sed -n -e 's/^Subject:.*request \(.*\)/\1/p'

                :0 f                # reverse the mailheader
                | formail -rA "X-Loop: yourname@your.main.mail.address"

                :0
                | (cat; cat $FILES) | $SENDMAIL -oi -t
              }

SOLUTION

    Solution: change that last subject (see above) to read:

              * ^Subject:.*request [0-9a-z]

    and add the condition:

              * ! ^Subject:.*[/.]\.

    That will  protect you  from ".."s  and keep  dot files in general
    from being fetched.