Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Apps :: vpopm1.txt

vpopmail CGIapps vadddomain multiple vulnerabilities

Centaura Technologies Security Research Lab Advisory

Product Name: vpopmail-CGIApps
Systems: Linux/OpenBSD/FreeBSD/NetBSD
Severity: High Risk
Remote: Yes
Category: Insuficient input checking
Vendor URL:
Advisory Author: Ignacio Vazquez
Advisory URL:
Date: 14 October 2002
Advisory Code: CTADVIIC044


vpopmail-CGIApps is a qmail-vpopmail domain administrator
written in Python.

=2E: Impact
An attacker can execute arbitrary code as the setuid user of the
script (normally vpopmail), giving him the posibility to add/modify
and delete accounts/domains from the database, add and edit system
files, etc.
This can lead to complete e-mail server compromise.

=2E: Description
By providing a special crafted data in the domain form field
(typing ; in there), the script executes os.system() function,
adds the domains and then executes the command after the ;

=2E: Exploit.

In "domini" field, put: "; echo 'test' > /tmp/vpoptest"
When you send the form, a new file in /tmp will be created.

=2E: Workaround

Before the os.system() method is called:

string.replace(domini, ";", "")
string.replace(passx, ";", "")
os.system('/usr/bin/sudo -u root /home/vpopmail/bin/vpasswd' +" "+ direc =
+ "=20
"+ passx)

=2E: Official Fix Information

The vendor has released version 0.3 in response of this advisory


Ignacio Vazquez

Director of Technology
Security Labs Manager

Centaura Technologies

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH