Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Apps :: vpopm.txt

vpopmail CGIapps vpasswd vulnerabilities

Centaura Technologies Security Research Lab Advisory

Product Name: vpopmail-CGIApps
Systems: Linux/OpenBSD/FreeBSD/NetBSD
Severity: High Risk
Remote: Yes
Category: Insuficient input checking
Vendor URL:
Advisory Author: Ignacio Vazquez
Advisory URL:
Date: 14 October 2002
Advisory Code: CTADVIIC043


vpopmail-CGIApps is a vpopmail password changer CGI application
written in Python.

=2E: Impact
An attacker can execute arbitrary code as the setuid user of the
script (normally vpopmail), giving him the posibility to add/modify
and delete accounts/domains from the database.
This can lead to complete e-mail server compromise.

=2E: Description
By providing a special crafted data in the password field
(typing ; in there), the script executes os.system() function,
changes the password and then executes the command after the ;

=2E: Exploit.

Put a valid username/password in the first part of the form.
Then, in "new password" field, put: "; echo 'test' > /tmp/vpoptest"
Repeat that string on the confirm password field.
When you send the form a new file in /tmp will be created.

=2E: Workaround

Before the os.system() method is called:

string.replace(direc, ";", "")
string.replace(passx, ";", "")
os.system('/home/vpopmail/bin/vpasswd' +" "+ direc + " "+ passx)

=2E: Official Fix Information

The vendor has released version 0.3 in response of this advisory.


Ignacio Vazquez

Director of Technology - Security Labs Manager

Centaura Technologies

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH