[34583] in bugtraq
ssmtp insecure file creation
daemon@ATHENA.MIT.EDU (priestmaster@sms.at)
Mon Apr 19 16:38:24 2004
Mime-version: 1.0
Content-type: text/plain; charset="iso-8859-1"
Date: Sun, 18 Apr 2004 21:12 +0200
From: priestmaster@sms.at
To: bugtraq@securityfocus.com
Cc: vuldb@securityfocus.com
Message-Id: <20040418191252.EEDB63CD358@mail1.sms.at>
Content-Transfer-Encoding: 8bit
Hi,
ssmtp 2.50.6 create a logfile /tmp/ssmtp.log. The data in this logfile
is user specified. It's possible to overwrite any file with
the permissons of the ssmtp program (normally root). The
vulnerable call is in log_event. log_event vulnerable call:
#ifdef LOGFILE
if((fp = fopen("/tmp/ssmtp.log", "a")) != (FILE *)NULL) {
(void)fprintf(fp, "%s\\n", buf);
(void)fclose(fp);
I think, that all versions of ssmtp are vulnerable to this bug.
Have a nice day,
priest@priestmaster.org
http://www.priestmaster.org
--
Ein Service von http://www.sms.at
