Joe Acquisto-j4: > Comments on the ZD net article that claims shellshock exploit via > crafty SMTP headers? Just asking, that's all . . . > > I attached a link to it below, please excuse if that is improper behavior. > > http://www.zdnet.com/shellshock-attacks-mail-servers-7000035094/
http://www.postfix.org/local.8.html ... A limited amount of message context is exported via environment vari- ables. Characters that may have special meaning to the shell are replaced by underscores. The list of acceptable characters is speci- fied with the command_expansion_filter configuration parameter. ... EXTENSION The optional recipient address extension. ... The default command_expansion_filter setting replaces "(){}" and other shell metacharacters with "_". That said, if other software exports variables that contain (){} etc. then they were not as careful as I was when I wrote Postfix. Wietse
