OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
remote root exec vulnerability in omail

From: Thijs Dalhuijsen (thijsdalhuijsen.com)
Date: Tue May 04 2004 - 12:10:00 CDT


product:omail webmail
version: 0.98.5
notified: now

the "patch" on omail.pl still leaves the system wide open for attack,

the regex to filter out " and ' doesn't help you much if your $SHELL is bash
or something similar

both back ticks and more arcane ways of shell expansion $(rm -rf /) are
still possible

fix it by replacing the regex around line 411 to something like

        $password = quotemeta($password);
        

Happy patching,

Thijs

--
map{map{tr|10|# |;print}split//,sprintf"%.8b\n",$_}
unpack'C*',unpack'u*',"5`#8<3'X`'#8^-`<-CPP`#8V/C8`"