<<< Date Index >>>     <<< Thread Index >>>

Lam3rZ Security Advisory #3/2004: A bug in Confirm leads to remote command execution



                Lam3rZ Security Advisory #3/2004

                        23 Feb 2004

                Remote command execution in Confirm

Name:                   Confirm <=0.62
Severity:               High
Software URL:           http://freshmeat.net/projects/confirm/
Software author:        David Lechnyr <davidrl/at/comcast/dot/net>
Advisory author:        Mariusz Woloszyn <emsi/AT/GTS/dot/PL>
Vendor notified:        Feb 6, 2004
Vendor confirmed:       Feb 6, 2004
Vendor fix:             Feb 9, 2004


Impact:
-------

Confirm is a simple procmail script that uses a pattern-matching
auto-whitelist to help identify unsolicited email.
A forged email headers may lead to a remote command execution under users
(or even root, if root uses confirm) privileges.


Description:
------------

Due to insufficient user supplied data filtering, emails containing special
characters, like ",`,|,;,$ and so on in headers may trick confirm and lead
to command execution.


How to patch:
-------------

Install confirm-0.70 from:
http://hr.uoregon.edu/davidrl/confirm/confirm-0.70.tgz
Please note, that significant changes has happened since previous
version!!!


Regards,

-- 
Mariusz Wołoszyn
Internet Security Specialist, GTS - Internet Partners