vanjaRELAYGROUP.COM

• Next message: Security Team: "Update to DST2K0011: DoS & BufferOverrun in CMail v2.4.7 WebMail"
• Previous message: Andreas Hasenack: "CONECTIVA LINUX SECURITY ANNOUNCEMENT - OPENSSH"
• In reply to: fusysITAPAC.NET: "Mailstudio2000 CGI Vulnerabilities [S0ftPj.4]"
• Next in thread: Fyodor: "Re: Mailstudio2000 CGI Vulnerabilities [S0ftPj.4]"
• Reply: Vanja Hrustic: "Re: Mailstudio2000 CGI Vulnerabilities [S0ftPj.4]"
• Reply: Fyodor: "Re: Mailstudio2000 CGI Vulnerabilities [S0ftPj.4]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

fusysITAPAC.NET wrote:
> There are at least two distinct bugs we'll mention.

Also, buffer overflow exists in userreg.cgi, which enables remote user
to execute any command as root.

It is also possible to change the password for system users, which don't
have the password already (like 'operator', 'gopher', etc.).

And probably some more (it was pointless going any further - apps seem
to be full of holes).

3RSoft did not respond to mail (sent around 3 months ago), so I have no
idea if they just ignored the report, or they 'silenty' fixed it. I did
not try the latest version.

Vanja Hrustic
SAFER Editor
SAFER - free monthly security newsletter
Subscriptions at http://www.safermag.com

• Next message: Security Team: "Update to DST2K0011: DoS & BufferOverrun in CMail v2.4.7 WebMail"
• Previous message: Andreas Hasenack: "CONECTIVA LINUX SECURITY ANNOUNCEMENT - OPENSSH"
• In reply to: fusysITAPAC.NET: "Mailstudio2000 CGI Vulnerabilities [S0ftPj.4]"
• Next in thread: Fyodor: "Re: Mailstudio2000 CGI Vulnerabilities [S0ftPj.4]"
• Reply: Vanja Hrustic: "Re: Mailstudio2000 CGI Vulnerabilities [S0ftPj.4]"
• Reply: Fyodor: "Re: Mailstudio2000 CGI Vulnerabilities [S0ftPj.4]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]