[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] [RaQ550] openwebmail pkg

Subject: Re: [cobalt-users] [RaQ550] openwebmail pkg
From: Gerald Waugh <gwaugh@xxxxxxxxxxxxxxxxxxxxxxx>
Date: Mon Dec 23 07:52:01 2002
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

On Mon, 23 Dec 2002, Bruce Timberlake wrote:
>
> FYI, there were some exploits mentioned about 1.71 on bugtraq last
> week: http://online.securityfocus.com/archive/1/303997
>
> "Remote exploitation of several errors within the Openwebmail scripts
> could allow a remote attacker to execute arbitrary commands with the
> superuser permissions. Although this requires attacker to be able to
> put 2 files on target system (i.e. via ftp or if he has local shell
> access), this is a very serious vulnerability and should be taken
> seriously."
>
> IV. RECOMENDATIONS
>
> "Temporary disable using of openwebmail until patch will be released
> by the vendor or fix openwebmail-shared.pl..."
>
Anyone tried the fixes?
fix openwebmail-shared.pl, changing
- ---
   $loginname =~ s/\-session\-0.*$//; # Grab loginname from sessionid
- ---

into

- ---
   $loginname =~ s/\-session\-0.*$//; # Grab loginname from sessionid
   $loginname =~ s/[\.\/\;\|\'\"\`\&]//g;
- ---

Gerald
--
http://frontstreetnetworks.com | http://raqware.com
Front Street Networks LLC  | Phone: +1 203-785-0699
229 Front Street, Ste. C, New Haven, CT. 06513-3203

References:
- Re: [cobalt-users] [RaQ550] openwebmail pkg
  - From: Bruce Timberlake

Prev by Date: Re: [cobalt-users] Rom Upgrade
Next by Date: [cobalt-users] (no subject)
Previous by thread: Re: [cobalt-users] [RaQ550] openwebmail pkg
Next by thread: Re: [cobalt-users] [RaQ550] openwebmail pkg

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index