vpopmail CGIapps vadddomain multiple vulnerabilities
From: Ignacio Vazquez (n.bugtraq@icana.org.ar)Date: 10/24/02
- Previous message: D4rkGr3y: "TFTP Server DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Ignacio Vazquez <n.bugtraq@icana.org.ar> To: bugtraq@securityfocus.com Date: Thu, 24 Oct 2002 11:27:36 -0300
Centaura Technologies Security Research Lab Advisory
Product Name: vpopmail-CGIApps
Systems: Linux/OpenBSD/FreeBSD/NetBSD
Severity: High Risk
Remote: Yes
Category: Insuficient input checking
Vendor URL: http://diario.buscadoc.org/index.php?topic=Programas
Advisory Author: Ignacio Vazquez
Advisory URL: http://www.centaura.com.ar/infosec/adv/vpopmailCGIappsdomain.txt
Date: 14 October 2002
Advisory Code: CTADVIIC044
.:Introduction
vpopmail-CGIApps is a qmail-vpopmail domain administrator
written in Python.
.: Impact
An attacker can execute arbitrary code as the setuid user of the
script (normally vpopmail), giving him the posibility to add/modify
and delete accounts/domains from the database, add and edit system
files, etc.
This can lead to complete e-mail server compromise.
.: Description
By providing a special crafted data in the domain form field
(typing ; in there), the script executes os.system() function,
adds the domains and then executes the command after the ;
.: Exploit.
In "domini" field, put: "; echo 'test' > /tmp/vpoptest"
When you send the form, a new file in /tmp will be created.
.: Workaround
Before the os.system() method is called:
string.replace(domini, ";", "")
string.replace(passx, ";", "")
os.system('/usr/bin/sudo -u root /home/vpopmail/bin/vpasswd' +" "+ direc + "
"+ passx)
.: Official Fix Information
The vendor has released version 0.3 in response of this advisory
-----
Ignacio Vazquez
<ivazquez@centaura.com.ar>
Director of Technology
Security Labs Manager
Centaura Technologies
http://www.centaura.com.ar
- Previous message: D4rkGr3y: "TFTP Server DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
