Original submitter of the report: Olaf Kirch <okir@lst.de>
The hole may be exploitable if you let metamail run showext for messages of type message/external-body. At least tcsh, and possibly a few other csh's, do seem to do weird things when expanding command line arguments. If you give a script an argument of "foo FTP=/tmp/evilcmd", and it does
set var=$1
this will assign foo to $var, and /tmp/evilcmd to $FTP. Unfortunately, metamail invokes showext with the MIME attributes on the command line, so you basically send it a header like this
Content-type: message/external-body; access-type="anon-ftp"; name="passwd"; site="monad.swb.de"; directory="/etc"; mode="image FTP=/tmp/evilcmd"
Further below, the script will run $FTP to initiate the FTP connection. Up to now, I have not been able to pass arguments to the command, but that doesn't mean that you can't do interesting things with the above.
[Patch removed due to age.]