---------- Forwarded message ---------- Date: Fri, 29 Sep 2000 05:09:22 -0600 From: Kurt Seifried <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: LSLID:2000092901 - Horde && IMP LSLID:2000092901 [mod note]: I should have reported this earlier, but did not. To be fair however I did post the connectiva advisory. This is the good/bad thing about Linux, they all use pretty much identical code bases for the majority of their distributions. If some vendor (that you do not use) announces a bug in software package foo, which you use on distribution bar, there is a good chance you are affected to. Horde library (IMP) >From the advisory: Description: The Fix of the first detected problem with the $from variable in the horde library was just escaping shellchars which avoids directly executing commands. It is still possible to exploit the parsed $from line and execute commands under the uid and gid of the webserver. Authors: Found, exploited and documentated by Jens "atomi" Steube. Fixed by Christian "thepoet" Winter. Version: Horde v1.2.1 IMP v2.2.1 Workaround: The "$from" var has to be checked for "-" chars following the space character. Passing those chars unfiltered willnearly always lead to exploitable bugs or errors.As neither a mail address nor a name with a leading minussign does make sense, here is a small patch that convertsevery minus at the beginning of a word into an underscore: http://ssl.coc-ag.de/sec/index.htm#horde02 Fix: Best solution would be generally not to pass vars to popen(), but rather opening the pipe to Sendmail by calling popen("$default->path_to_Sendmail -t) and putting all available information into the mail header. This requires some extra checking and converting, but secures the system a lot. Version 1.3.3 and 1.2.2 are available at http://www.horde.org/, and Connectiva has issued updates. -------------------------------------------------------------------------- Utk berhenti langganan, kirim email ke [EMAIL PROTECTED] Informasi arsip di http://www.linux.or.id/milis.php3 Pengelola dapat dihubungi lewat [EMAIL PROTECTED]
