SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Open WebMail Vendors:   openwebmail.org
Open WebMail Input Validation Hole Prior to open() Call Lets Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1013859
SecurityTracker URL:  http://securitytracker.com/id/1013859
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 2 2005
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 2.51 20050430
Description:   A vulnerability was reported in Open WebMail. A remote authenticated user can execute arbitrary code on the target system.

The software does not properly validate certain user-supplied parameters, which are passed to a Perl open() function call. A remote authenticated user can supply specially crafted parameter values to execute operating system commands on the target system. The commands will run with the privileges of the remote authenticated user.

The vendor credits Matej Vela with reporting this vulnerability.

Impact:   A remote authenticated user can execute arbitrary code on the target system with the privileges of the user.
Solution:   The vendor has issued a fixed version, available at:

http://openwebmail.org/openwebmail/download/

The vendor has also released patches, available at:

http://openwebmail.org/openwebmail/download/cert/patches/SA-05:02/
http://turtle.ee.ncku.edu.tw/openwebmail/download/cert/patches/SA-05:02/

Vendor URL:  openwebmail.org/openwebmail/download/cert/patches/SA-05:02/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC