[28307] in bugtraq
Antwort: Openwebmail 1.71 remote root compromise
daemon@ATHENA.MIT.EDU (Stephan Sachweh)
Mon Dec 23 16:03:29 2002
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Message-ID: <OFEAF6CED5.5DC14784-ONC1256C98.0001B774-C1256C98.0002BAEC@pallas.com>
From: "Stephan Sachweh" <Stephan.Sachweh@pallas.com>
Date: Mon, 23 Dec 2002 01:29:50 +0100
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
On 18.12.2002 18:37:59 Dmitry Guyvoronsky wrote:
> Software : Openwebmail (http://openwebmail.org)
> Version : ?.?? -> 1.71 (current)
> Type : Arbitrary commands execution
> Remote : yes
> Root : yes (!!!)
> Date : December 18, 2002
> IV. RECOMENDATIONS
>
> Temporary disable using of openwebmail until patch will be released by
the
> vendor
> or fix openwebmail-shared.pl, changing
>
> - ---
> $loginname =~ s/\-session\-0.*$//; # Grab loginname from sessionid
> - ---
>
> into
>
> - ---
> $loginname =~ s/\-session\-0.*$//; # Grab loginname from sessionid
> $loginname =~ s/[\.\/\;\|\'\"\`\&]//g;
> - ---
This Fix does not work if loginname includes the internet domain name (the
dotīs disapear).
Change into:
$loginname =~ s/\-session\-0.*$//; # Grab loginname from sessionid
$loginname =~ s/[\/\;\|\'\"\`\&]//g;
$loginname =~ s/\.\.//g;
Freundliche Gruesse / Best Regards
Stephan Sachweh
Abteilungsleiter Security Operations
--------------------------------------------------------------------
//// pallas / A Member of the ExperTeam Group
Pallas GmbH / Emil-Figge-Str. 85 / 44227 Dortmund / Germany
Stephan.Sachweh@pallas.com / www.pallas.com
Tel +49-231-9704-221 / Fax +49-231-9704-609 / Mobile +49-173-5490754
--------------------------------------------------------------------
