Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: vpopmail CGIapps vpasswd vulnerabilities
From: "Jeremy C. Reed" <reed () reedmedia net>
Date: Thu, 24 Oct 2002 10:41:48 -0700 (PDT)

Product Name: vpopmail-CGIApps
Systems: Linux/OpenBSD/FreeBSD/NetBSD

At first I thought this meant it was available from these *BSD package
collections.

But I guess this means that this applies to any system that supports
os.system using a shell.

Also the name of the program is vpasswd.cgi (not to be confused with
different vpasswd).

.: Workaround

Before the os.system() method is called:

string.replace(direc, ";", "")
string.replace(passx, ";", "")

Also, need to check for other shell operators, meta-characters, etc.

The vendor has released version 0.3 in response of this advisory.

I see the fix has a partial fix.

It doesn't check for `backtick` or $(rm whatever) etc.

Also, it shouldn't just blindly replace with nothing and still run
command, because it may still have unexpected results (so better to just
error instead).

   Jeremy C. Reed

   http://bsd.reedmedia.net/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]