SpamAssassin Milter Plugin 'mlfi_envrcpt()' Remote Arbitrary Command Injection Vulnerability

A lack of input sanitization could lead to arbitrary code execution on
systems using the spamassassin milter plugin. The exploit given
specifically targets PostFix installations, however, this issue may
affect other mail services as well.

SpamAssassin Milter Plugin 0.3.1 is affected, although other versions
may be affected as well. v0.3.1 was released in April 2006.

Priority 2: This vulnerability has not yet been exploited at the
Institute, however, exploitation may be imminent. Other outside
businesses or schools are actively being exploited.

Severity 3: This vulnerability poses high risk within a group/school. It
does not pose a risk of contaminating other groups/schools.

If your mail setup uses this plugin, please contact me. It is
recommended that your mail daemon drop root privileges after binding to
port 25 and assume the role of a non-privileged user. This is not a
total fix, though, compromise is still possible.

Another method for using SpamAssassin may be available to you other than
this plugin using procmail or other ways.

A patch is not yet available.