|
|
Info |
Last Modified |
| 6 months ago |
|
|
|
|
Description |
Upon connecting to the server and supplying a malicious HTTP Host value to emumail, it could be possible for a local user to force the program to open an arbitrary file with privileges equal to the HTTP server process. This could result in the execution of an arbitrary program, supplied by an attacker with local access to the host.
|
|
Classification |
Location:
Local Access Required
Attack Type:
Input Manipulation
Impact:
Loss of Integrity
Exploit:
Exploit Available
Disclosure:
OSVDB Verified
OSVDB:
Web Related
|
|
Technical |
Source fragments from emumail.cgi:
-------------------- CUT HERE --------------------
my $http_host = lc $ENV{'HTTP_HOST'};
if ( -e "$http_host.init" ) {
open(INI, "$http_host.init") || debug "Can't open $http_host.init! : $! ";
<INI> =~ /page_root\s*=\s*(\S+)/m;
close(INI);
$page_root = $1;
}
...
open (IN, "$page_root/.....");
-------------------- CUT HERE --------------------
By setting a HTTP-Host like "../../../../../tmp/evil" and place a config file with the new pageroot "/tmp/evilprog " it is possible for a local user to hijack the cgi-user on the next open call
|
|
Solution |
Upgrade to version 5.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
|
|
Products |
|
WebMail
 |
4.x |
5.1 |
|
|
|
|
Credit |
- Leif Jakob - bugtraq
 pinguin.weite-welt.com -
|
|
BlogsProvided by Technorati
|
None found at this time
|
|
|
