Bugtraq mailing list archives
Re: vpopmail CGIapps vpasswd vulnerabilities
From: "Jeremy C. Reed" <reed () reedmedia net>
Date: Thu, 24 Oct 2002 10:41:48 -0700 (PDT)
Product Name: vpopmail-CGIApps Systems: Linux/OpenBSD/FreeBSD/NetBSD
At first I thought this meant it was available from these *BSD package collections. But I guess this means that this applies to any system that supports os.system using a shell. Also the name of the program is vpasswd.cgi (not to be confused with different vpasswd).
.: Workaround Before the os.system() method is called: string.replace(direc, ";", "") string.replace(passx, ";", "")
Also, need to check for other shell operators, meta-characters, etc.
The vendor has released version 0.3 in response of this advisory.
I see the fix has a partial fix. It doesn't check for `backtick` or $(rm whatever) etc. Also, it shouldn't just blindly replace with nothing and still run command, because it may still have unexpected results (so better to just error instead). Jeremy C. Reed http://bsd.reedmedia.net/
Current thread:
- vpopmail CGIapps vpasswd vulnerabilities Ignacio Vazquez (Oct 24)
- Re: vpopmail CGIapps vpasswd vulnerabilities Jeremy C. Reed (Oct 24)