| VID |
18022 |
| Severity |
40 |
| Port |
25 |
| Protocol |
TCP |
| Class |
SMTP |
| Detailed Description |
The Sendmail server allows to mail to files directly.
Some Sendmail servers don't complain when a remote attacker sends mail with a "RCPT TO" string, which is specified the file name as the follow :
MAIL FROM: root@domain.com
RCPT TO: /tmp/secuiscan_test
This probably means that it is possible to send mail to files directly, which is a serious threat, since this allows a remote attacker to overwrite sensitive files on the remote server and create files via Sendmail.
Note: This check might be a "False Positive", since some MTAs will not complain to this test, but instead just drop the message silently. This scanner attempts to create a file called 'by_scanner.mailingtofiles.vulnerability' in /tmp directory. If this file exists on the specified host after the scan is complete, then the host is vulnerable.
* References:
http://www.cert.org/advisories/CA-1995-08.html
http://online.securityfocus.com/bid/2308 |
| Recommendation |
Upgrade to the latest version of Sendmail, available from the Sendmail site or change your MTA.
ftp://ftp.sendmail.org/pub/sendmail |
| Related URL |
CVE-1999-0203 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
