[27587] in bugtraq
Re: vpopmail CGIapps vpasswd vulnerabilities
daemon@ATHENA.MIT.EDU (Jeremy C. Reed)
Thu Oct 24 15:32:40 2002
Date: Thu, 24 Oct 2002 10:41:48 -0700 (PDT)
From: "Jeremy C. Reed" <reed@reedmedia.net>
To: bugtraq@securityfocus.com
In-Reply-To: <200210241126.33510.n.bugtraq@icana.org.ar>
Message-ID: <Pine.LNX.4.43.0210241020040.25224-100000@pilchuck.reedmedia.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
> Product Name: vpopmail-CGIApps
> Systems: Linux/OpenBSD/FreeBSD/NetBSD
At first I thought this meant it was available from these *BSD package
collections.
But I guess this means that this applies to any system that supports
os.system using a shell.
Also the name of the program is vpasswd.cgi (not to be confused with
different vpasswd).
> .: Workaround
>
> Before the os.system() method is called:
>
> string.replace(direc, ";", "")
> string.replace(passx, ";", "")
Also, need to check for other shell operators, meta-characters, etc.
> The vendor has released version 0.3 in response of this advisory.
I see the fix has a partial fix.
It doesn't check for `backtick` or $(rm whatever) etc.
Also, it shouldn't just blindly replace with nothing and still run
command, because it may still have unexpected results (so better to just
error instead).
Jeremy C. Reed
http://bsd.reedmedia.net/
