Info

Disclosure

Jul 06, 2004

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

Open Webmail contains a flaw that may allow a malicious user to run arbitrary system commands. The issue is triggered when a crafted request for the vacation.pl script occurs. This flaw may lead to a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Upgrade to -current version tree or apply the vendor supplied patch, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): move vacation.pl to a seperate directory and set the vacationinit and vacationpipe configuration variables.

Products

Open Webmail Project	Open Webmail	2.32
		2.30
		2.21
		2.20
		2.10
		2.01
		2.00

References

Security Tracker: 1010605
Bugtraq ID: 10637
Secunia Advisory ID: 12017
ISS X-Force ID: 16549
CVE ID: 2004-2284 (see also: NVD)
Vendor Specific Advisory URL: http://openwebmail.org/openwebmail/download/cert/advisories/SA-04:04.txt
Other Solution URL: http://openwebmail.org/openwebmail/download/cert/patches/SA-04:04/
Other Advisory URL: http://sourceforge.net/forum/message.php?msg_id=2640281

Credit

Ken Girrard - kgirrardusers.sourceforge.net -

Direct URL: http://osvdb.org/7474

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Open Webmail Project

Open Webmail

References

Credit