Info

Disclosure

Feb 20, 2006

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

A local overflow exists in qmailadmin. The program fails to properly check input reveived from the PATH_INFO environment variable resulting in a buffer overflow. With a specially crafted request, an attacker can cause the execution of arbitrary code resulting in a loss of integrity.

Classification

Location: Local Access Required
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Unknown
Disclosure: OSVDB Verified, Vendor Verified

Solution

Upgrade to version 1.2.10 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Inter7 Internet Technologies, Inc.

qmailadmin

1.2.9

References

Secunia Advisory ID: 19262 23019
CVE ID: 2006-1141 (see also: NVD)
VUPEN Advisory: ADV-2006-0852
Vendor Specific News/Changelog Entry: http://sourceforge.net/project/shownotes.php?release_id=395211&group_id=6691
Other Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200611-15.xml
Vendor URL: http://www.inter7.com/index.php?page=qmailadmin

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/23705