('binary' encoding is not supported, stored as-is) Product: Omail Webmail Author: Olivier Mueller Vulnerable Versions: - 0.98.x - 0.97.x - ... Omail is a Webmail coded in perl for qmail, optionally with vmailmgr or vpopmail. There is a security flaw in Omail which, if installed by default, allows for remote root access. The minimum risk is exposure of sensitive information (all email accessible to omail), as well as remote execution of commands as a non-privileged user. The flaw occurs in the function checklogin(); ......... omail.pl, line 689: my $command = 'echo -e "'. $domainname .'\000'. $username .'\000'.$password .'\000" | ' .$vauthenticate; my $output = `$command`; ......... Prior to calling this line, the variables $domainname,$username, and $password are not filtered for shell metacharacters, which results in the possibility of the execution of arbritrary commands. The patch in itself is quite simple: --- omail-webmail-0.98.4/omail-old.pl 2001-08-26 08:35:27.000000000 -0400 +++ omail-webmail-0.98.4/omail.pl 2003-07-28 12:29:36.000000000 -0400 @@ -396,7 +396,7 @@ if (($vmailmgr || $vpopmail) && $cgi_mode eq "suid") { - if (!($userid =~ /(.*)\@(.*)/)) { + if (!($userid =~ /([A-Z,a-z,0-9]*)\@([\w\.]*)$/)) { omailerror("domain name is missing : format userid\@domain"); } else { $userid = $1; @@ -406,7 +406,7 @@ my $password = param("password"); - $password =~ /^(.+)$/; + $password =~ /^([^\"]+)$/; $password = $1; # 8 possible cases : The author was contacted two weeks ago, but did not respond. ---------------------------------------------------- Phillip Whelan - Security Consultant BunkerChile S.A. - Network Security Consulting Group homepage: http://www.bunkerchile.net email: infoat_private ----------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 19 2003 - 14:31:53 PDT