PDA

Bekijk Volledige Versie : Antwort: Openwebmail 1.71 remote root compromise



Stephan Sachweh
23/12/02, 23:02
On 18.12.2002 18:37:59 Dmitry Guyvoronsky wrote:

> Software : Openwebmail (http://openwebmail.org)
> Version : ?.?? -> 1.71 (current)
> Type : Arbitrary commands execution
> Remote : yes
> Root : yes (!!!)
> Date : December 18, 2002


> IV. RECOMENDATIONS
>
> Temporary disable using of openwebmail until patch will be released by
the
> vendor
> or fix openwebmail-shared.pl, changing
>
> - ---
> $loginname =~ s/\-session\-0.*$//; # Grab loginname from sessionid
> - ---
>
> into
>
> - ---
> $loginname =~ s/\-session\-0.*$//; # Grab loginname from sessionid
> $loginname =~ s/[\.\/\;\|\'\"\`\&]//g;
> - ---

This Fix does not work if loginname includes the internet domain name (the
dot´s disapear).

Change into:
$loginname =~ s/\-session\-0.*$//; # Grab loginname from sessionid
$loginname =~ s/[\/\;\|\'\"\`\&]//g;
$loginname =~ s/\.\.//g;

Freundliche Gruesse / Best Regards

Stephan Sachweh
Abteilungsleiter Security Operations
--------------------------------------------------------------------
//// pallas / A Member of the ExperTeam Group
Pallas GmbH / Emil-Figge-Str. 85 / 44227 Dortmund / Germany
Stephan.Sachweh@pallas.com / www.pallas.com
Tel +49-231-9704-221 / Fax +49-231-9704-609 / Mobile +49-173-5490754
--------------------------------------------------------------------