You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This can lead to code injection via a malicious configuration file, for example:
[report_store]
backend = SQL; print `whoami`;
Because the configuration file is loaded first from the current working directory (as mentioned in a previous issue: #231), the code injection could be abused to gain privileges on a system where the library is executed as a privileged user in a world-writable directory (e.g. /tmp).
Although the above is a somewhat unlikely scenario, I would still advise to switch to Module::Load for safer dynamic loading and to avoid loading the configuration file from the current working directory (maybe instead use $HOME/.mail-dmarc.ini).
The text was updated successfully, but these errors were encountered:
bigio
added a commit
to bigio/mail-dmarc
that referenced
this issue
May 31, 2024
Describe the bug
The dynamic loading of the backend module uses an unsafe form of eval without sanitizing the module name from the config file.
mail-dmarc/lib/Mail/DMARC/Report/Store.pm
Line 43 in ac6d3ad
This can lead to code injection via a malicious configuration file, for example:
Because the configuration file is loaded first from the current working directory (as mentioned in a previous issue: #231), the code injection could be abused to gain privileges on a system where the library is executed as a privileged user in a world-writable directory (e.g. /tmp).
Although the above is a somewhat unlikely scenario, I would still advise to switch to
Module::Load
for safer dynamic loading and to avoid loading the configuration file from the current working directory (maybe instead use$HOME/.mail-dmarc.ini
).The text was updated successfully, but these errors were encountered: