Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Antwort: Openwebmail 1.71 remote root compromise

From: "Stephan Sachweh" <Stephan.Sachweh () pallas com>
Date: Mon, 23 Dec 2002 01:29:50 +0100
On 18.12.2002 18:37:59 Dmitry Guyvoronsky wrote: 


Software : Openwebmail (http://openwebmail.org)
Version  : ?.?? -> 1.71 (current)
Type     : Arbitrary commands execution
Remote   : yes
Root     : yes (!!!)
Date     : December 18, 2002




IV. RECOMENDATIONS

Temporary disable using of openwebmail until patch will be released by 

the 

vendor
or fix openwebmail-shared.pl, changing

- ---
$loginname =~ s/\-session\-0.*$//; # Grab loginname from sessionid
- ---

into

- ---
$loginname =~ s/\-session\-0.*$//; # Grab loginname from sessionid
$loginname =~ s/[\.\/\;\|\'\"\`\&]//g;
- ---


This Fix does not work if loginname includes the internet domain name (the 
dot´s disapear).

Change into:
$loginname =~ s/\-session\-0.*$//; # Grab loginname from sessionid
$loginname =~ s/[\/\;\|\'\"\`\&]//g;
$loginname =~ s/\.\.//g;

Freundliche Gruesse / Best Regards

Stephan Sachweh
Abteilungsleiter Security Operations
--------------------------------------------------------------------
//// pallas / A Member of the ExperTeam Group
Pallas GmbH / Emil-Figge-Str. 85 / 44227 Dortmund / Germany
Stephan.Sachweh () pallas com / www.pallas.com
Tel +49-231-9704-221 / Fax +49-231-9704-609 / Mobile +49-173-5490754
--------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: