The app is vulnerable if it runs in an unsafe environment that allows qmail to a... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

gowld on May 20, 2020 | parent | context | favorite | on: 15 years later: remote code execution in qmail

The app is vulnerable if it runs in an unsafe environment that allows qmail to access more than 4GB (an absurdly large value when qmail was published in 1997 -- it would cost $5000 plus a rare, expensive machine to hold it).

djb's view is that the environment is the responsibility of the admin, not the program's responsibility to enforce sane defaults. This is of course debatable.

If the admin uses a recommended environment (low memory limit), there is no exploitability.

allover on May 20, 2020 [–]

So it's not secure by default.

rq1 on May 21, 2020 | [–]

It is in the sense that the author did specify AFAIK the bounds within it should run, no?

tedunangst on May 21, 2020 | | [–]

Where and when? If I had installed qmail on a 64 bit machine in 2004, how would I have known that it was remotely exploitable?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact