mailing list archives
Re: vpopmail CGIapps vpasswd vulnerabilities
From: "Jeremy C. Reed" <reed () reedmedia net>
Date: Thu, 24 Oct 2002 10:41:48 -0700 (PDT)
Product Name: vpopmail-CGIApps
At first I thought this meant it was available from these *BSD package
But I guess this means that this applies to any system that supports
os.system using a shell.
Also the name of the program is vpasswd.cgi (not to be confused with
Before the os.system() method is called:
string.replace(direc, ";", "")
string.replace(passx, ";", "")
Also, need to check for other shell operators, meta-characters, etc.
The vendor has released version 0.3 in response of this advisory.
I see the fix has a partial fix.
It doesn't check for `backtick` or $(rm whatever) etc.
Also, it shouldn't just blindly replace with nothing and still run
command, because it may still have unexpected results (so better to just
Jeremy C. Reed