SecurityTracker.com Archives - Open WebMail Input Validation Flaw in 'vacation.pl' Lets Remote Users Execute Arbitrary Programs

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (E-mail Server) > Open WebMail

Vendors: openwebmail.org

Open WebMail Input Validation Flaw in 'vacation.pl' Lets Remote Users Execute Arbitrary Programs

SecurityTracker Alert ID: 1010605

SecurityTracker URL: http://securitytracker.com/id?1010605

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Jun 29 2004

Impact: Execution of arbitrary code via network, User access via network

Fix Available: Yes Vendor Confirmed: Yes

Version(s): all versions before 20040629

Description: A vulnerability was reported in Open WebMail in the 'vacation.pl' component. A remote user can execute arbitrary programs with the privileges of the target web service.

The vendor reported that the 'vacation.pl' script does not properly validate user-supplied parameters to determine if the specified list file exists or not. A remote authenticated user can supply a specially crafted file name to cause the script to execute an arbitrary program on the target system.

The vendor credits Ken Girrard with reporting this flaw.

Impact: A remote user can execute arbitrary programs with the privileges of the target web service.

Solution: The vendor has released a fix, available in the latest openwebmail-current.tgz (as of the time of this entry). The vendor has also released a patch, available at:

http://openwebmail.org/openwebmail/download/cert/patches/SA-04:04/
http://turtle.ee.ncku.edu.tw/openwebmail/download/cert/patches/SA -04:04/

As a workaround, the vendor says that you can move the 'vacation.pl' to another directory (e.g., '/usr/local/bin/vacation.pl') and change the path of 'vacation.pl in the vacationinit and vacationpipe options in the 'openwebmail.conf.default' configuration file.

Vendor URL: www.openwebmail.org/ (Links to External Site)

Cause: Input validation error

Underlying OS: Linux (Any), UNIX (Any)

Message History: None.

Source Message Contents

Date: Tue, 29 Jun 2004 00:42:53 -0400
Subject: http://sourceforge.net/forum/message.php?msg_id=2640281

 

http://sourceforge.net/forum/message.php?msg_id=2640281

Topic: remote user can execute any program with apache

Announced: 2004-06-29
Credits: Ken Girrard <kgirrard.AT.users.sourceforge.net>

Affects: all versions before 20040629
Corrected: openwebmail versions after 2.32 20040629

Patches: http://openwebmail.org/openwebmail/download/cert/patches/SA-04:
http://turtle.ee.ncku.edu.tw/openwebmail/download/cert/patches/

I. Background

vacation.pl is a script designed to do autoreply in Open WebMail.

II. Problem Description

vacation.pl accepted parameter as the name of the list file without
checking the file existence. It could be exploited to invoke any program
on the server with apache privilege.

This is a very serious vulnerability and should be taken seriously.

III. Impact

Remote user can execute any program on the openwebmail server with apache.

IV. Workaround

move the vacation.pl to other directory, eg: /usr/local/bin/vacation.pl
and change the path of vacation.pl in option vacationinit & vacationpipe
in openwebmail.conf.default

V. Solution

A. upgrade to the latest openwebmail-current.tgz

B. or apply the patch in

http://openwebmail.org/openwebmail/download/cert/patches/SA-04:04/
http://turtle.ee.ncku.edu.tw/openwebmail/download/cert/patches/SA-04:04/

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2004, SecurityGlobal.net LLC