I don't know if this is even relevant anymore (i.e. has been fixed) but this showed up on bugtraq yesterday. Figured I should pass it along, just in case.
Sincerely, Chris Ess System Administrator / CDTT (Certified Duct Tape Technician) ---------- Forwarded message ---------- Date: 17 Aug 2004 10:44:52 -0000 From: Jérôme ATHIAS <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: vpopmail <= 5.4.2 (sybase vulnerability) Bug: format string and buffer overflow (sybase) Product: vpopmail <= 5.4.2 (sybase vulnerability) Author: Werro [EMAIL PROTECTED] Realease Date : 12/08/04 Risk: Low Vendor status: Vendor is in a big shit :) Reference: http://web-hack.ru/unl0ck/advisories/ Overview: vpopmail is a set of programs for creating and managing multiple virtual domains on a qmail server. Details: Bugs were founded in SyBase. In vsybase.c file. -------------------\ char dirbuf[156]; \__Vulnerability___________________________________________________ ... | if ( strlen(dir) > 0 ) | { | sprintf(dirbuf,"%s/%s/%s", dom_dir,dir,user); | ^^^^^^^ - buffer overflow | }else{ | sprintf(dirbuf, "%s/%s", dom_dir, user); | ^^^^^^^ - buffer overflow | } | ... | | if ( site_size == LARGE_SITE ) { | sprintf( SqlBuf, LARGE_INSERT, domstr, | user, pass, pop, gecos, dirbuf, quota); | ^^^^^^^ - format string | } else { | sprintf( SqlBuf, SMALL_INSERT, | SYBASE_DEFAULT_TABLE, user, domain, pass, pop, gecos, dirbuf, quota); | } ^^^^^^^ - format string ______________________________________________| ----------------------------------------/ Two vulnerability : format string and buffer overflow. Latest Version is Vulnerable. To avoid this bugs, you must use snprintf() with format like "%s". 12/08/04. (c) by unl0ck team. http://web-hack.ru/unl0ck