ssmtp insecure file creation

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: ssmtp insecure file creation
From: priestmaster@xxxxxx
Date: Sun, 18 Apr 2004 21:12 +0200
Cc: vuldb@xxxxxxxxxxxxxxxxx
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

 Hi,

ssmtp 2.50.6 create a logfile /tmp/ssmtp.log. The data in this logfile
is user specified. It's possible to overwrite any file with
the permissons of the ssmtp program (normally root). The
vulnerable call is in log_event. log_event vulnerable call:

#ifdef LOGFILE
        if((fp = fopen("/tmp/ssmtp.log", "a")) != (FILE *)NULL) {
                (void)fprintf(fp, "%s\\n", buf);
                (void)fclose(fp);

I think, that all versions of ssmtp are vulnerable to this bug.

Have a nice day,

priest@xxxxxxxxxxxxxxxx
http://www.priestmaster.org

--
Ein Service von http://www.sms.at

Prev by Date: New Paper - SQL Injection Signatures Evasion
Next by Date: [ GLSA 200404-15 ] XChat 2.0.x SOCKS5 Vulnerability
Previous by thread: RE: New Paper - SQL Injection Signatures Evasion
Next by thread: [ GLSA 200404-15 ] XChat 2.0.x SOCKS5 Vulnerability
Index(es):
- Date
- Thread