[34792] in bugtraq
remote root exec vulnerability in omail
daemon@ATHENA.MIT.EDU (Thijs Dalhuijsen)
Wed May 5 12:05:59 2004
Date: Tue, 04 May 2004 19:10:00 +0200
From: Thijs Dalhuijsen <thijs@dalhuijsen.com>
To: <omail@omail.ch>
Cc: <full-disclosure@lists.netsys.com>, <bugtraq@securityfocus.com>
Message-ID: <BCBD9B08.4832%thijs@dalhuijsen.com>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
product:omail webmail
version: 0.98.5
notified: now
the "patch" on omail.pl still leaves the system wide open for attack,
the regex to filter out " and ' doesn't help you much if your $SHELL is bash
or something similar
both back ticks and more arcane ways of shell expansion $(rm -rf /) are
still possible
fix it by replacing the regex around line 411 to something like
$password = quotemeta($password);
Happy patching,
Thijs
--
map{map{tr|10|# |;print}split//,sprintf"%.8b\n",$_}
unpack'C*',unpack'u*',"5`#8<3'X`'#8^-@`<-CPP`#8V/C8`"
