Bugtraq mailing list archives

Re: vpopmail CGIapps vpasswd vulnerabilities

From: "Jeremy C. Reed" <reed () reedmedia net>
Date: Thu, 24 Oct 2002 10:41:48 -0700 (PDT)

Product Name: vpopmail-CGIApps
Systems: Linux/OpenBSD/FreeBSD/NetBSD


At first I thought this meant it was available from these *BSD package
collections.

But I guess this means that this applies to any system that supports
os.system using a shell.

Also the name of the program is vpasswd.cgi (not to be confused with
different vpasswd).

.: Workaround

Before the os.system() method is called:

string.replace(direc, ";", "")
string.replace(passx, ";", "")


Also, need to check for other shell operators, meta-characters, etc.

The vendor has released version 0.3 in response of this advisory.


I see the fix has a partial fix.

It doesn't check for `backtick` or $(rm whatever) etc.

Also, it shouldn't just blindly replace with nothing and still run
command, because it may still have unexpected results (so better to just
error instead).

   Jeremy C. Reed

   http://bsd.reedmedia.net/

Current thread:

vpopmail CGIapps vpasswd vulnerabilities Ignacio Vazquez (Oct 24)
- Re: vpopmail CGIapps vpasswd vulnerabilities Jeremy C. Reed (Oct 24)