remote root exec vulnerability in omail

To: <omail@xxxxxxxx>
Subject: remote root exec vulnerability in omail
From: Thijs Dalhuijsen <thijs@xxxxxxxxxxxxxx>
Date: Tue, 04 May 2004 19:10:00 +0200
Cc: <full-disclosure@xxxxxxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Microsoft-Entourage/10.0.0.1309

product:omail webmail
version: 0.98.5
notified: now


the "patch" on omail.pl still leaves the system wide open for attack,

the regex to filter out " and ' doesn't help you much if your $SHELL is bash
or something similar

both back ticks and more arcane ways of shell expansion $(rm -rf /) are
still possible

fix it by replacing the regex around line 411 to something like


        $password = quotemeta($password);
        

Happy patching,

Thijs



--
map{map{tr|10|# |;print}split//,sprintf"%.8b\n",$_}
unpack'C*',unpack'u*',"5`#8<3'X`'#8^-@`<-CPP`#8V/C8`"

Prev by Date: SUSE Security Announcement: kernel (SuSE-SA:2004:010)
Next by Date: Re: Crystal Reports Vulnerabilities
Previous by thread: SUSE Security Announcement: kernel (SuSE-SA:2004:010)
Next by thread: SMF SIZE Tag Script Injection Vulnerability
Index(es):
- Date
- Thread