Home page logo

bugtraq logo Bugtraq mailing list archives

Re: vpopmail CGIapps vpasswd vulnerabilities
From: "Jeremy C. Reed" <reed () reedmedia net>
Date: Thu, 24 Oct 2002 10:41:48 -0700 (PDT)

Product Name: vpopmail-CGIApps
Systems: Linux/OpenBSD/FreeBSD/NetBSD

At first I thought this meant it was available from these *BSD package

But I guess this means that this applies to any system that supports
os.system using a shell.

Also the name of the program is vpasswd.cgi (not to be confused with
different vpasswd).

.: Workaround

Before the os.system() method is called:

string.replace(direc, ";", "")
string.replace(passx, ";", "")

Also, need to check for other shell operators, meta-characters, etc.

The vendor has released version 0.3 in response of this advisory.

I see the fix has a partial fix.

It doesn't check for `backtick` or $(rm whatever) etc.

Also, it shouldn't just blindly replace with nothing and still run
command, because it may still have unexpected results (so better to just
error instead).

   Jeremy C. Reed


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]