Wietse Venema:
> @ lbutlr:
> > > Careful with that. To easy to create a script injection vector. Bash is
> > > not
> > > a good language in which to construct safely quoted remote content for
> > > injection
> > > into a suitable HTML skeleton.
> >
> > Injection from where? the script is only accessible to the root user on
> > the mail server and only checks /var/log/maillog (or the log specified
> > at the top of the script). There's no remote content involved.
>
> Injection from the SMTP port.
SMTP session:
220 mail.example.com
EHLO client.example
...
MAIL FROM<"some HTML code inside double quotes"@example.com>
Proof of concept:
MAIL FROM<"<script type='text/javascript'>alert('xss');</script>"@example.com>
If you read this with a web browser, the following may be more readable:
MAIL FROM<"<script
type='text/javascript'>alert('xss');</script>"@example.com>
Wietse
