Topic: Remote user can execute arbitary command with root Announced: 2002-12-19 Credits: Dmitry Guyvoronsky Affects: all versions prior 1.81 20021219 Corrected: openwebmail versions after 1.81 2002-12-19 Patches: http://openwebmail.org/openwebmail/download/cert/patches/SA-02:01/ http://turtle.ee.ncku.edu.tw/openwebmail/download/cert/patches/SA-02:01/ I. Background Openwebmail is a web-bases email system. It contains several Perl CGI scripts run under superuser account (suidperl is used). II. Problem Description Remote exploitation of several errors within the Openwebmail scripts could allow a remote attacker to execute arbitrary commands with the superuser permissions. Although this requires attacker to be able to put2 files on target system (i.e. via ftp or if he has local shell access), this is a very serious vulnerability and should be taken seriously. III. Impact Remote user can execute arbitary command on the openwebmail server IV. Workaround None. V. Solution Apply the enclosed patch or upgrade to the latest openwebmail-current. For openwebmail 1.8x ================================================================== --- ow-shared.pl.orig Tue Nov 26 20:20:51 2002 +++ ow-shared.pl Thu Dec 19 17:51:08 2002 @@ -231,6 +231,9 @@ sub readconf { my ($r_config, $r_config_raw, $configfile)=@_; + if ($configfile=~/\.\./) { # .. in path is not allowed for higher security + openwebmailerror("Invalid config file path $configfile"); + } # read config open(CONFIG, $configfile) or openwebmailerror("Couldn't open config file $configfile"); @@ -340,6 +343,11 @@ } } + # remove / and .. from variables that will be used in require statement for security + foreach $key ( 'default_language', 'auth_module') { + ${$r_config}{$key} =~ s|/||g; + ${$r_config}{$key} =~ s|\.\.||g; + } # untaint pathname variable defined in openwebmail.conf foreach $key ( 'smtpserver', 'auth_module', 'virtusertable', 'mailspooldir', 'homedirspoolname', 'homedirfolderdirname', ================================================================== For openwebmail 1.64, 1.65, 1.7x ================================================================== --- openwebmail-shared.pl.orig Sat Aug 24 15:59:00 2002 +++ openwebmail-shared.pl Thu Dec 19 17:55:22 2002 @@ -223,6 +223,9 @@ sub readconf { my ($r_config, $r_config_raw, $configfile)=@_; + if ($configfile=~/\.\./) { # .. in path is not allowed for higher security + openwebmailerror("Invalid config file path $configfile"); + } # read config open(CONFIG, $configfile) or openwebmailerror("Couldn't open config file $configfile"); @@ -331,6 +334,11 @@ } } + # remove / and .. from variables that will be used in require statement for security + foreach $key ( 'default_language', 'auth_module') { + ${$r_config}{$key} =~ s|/||g; + ${$r_config}{$key} =~ s|\.\.||g; + } # untaint pathname variable defined in openwebmail.conf foreach $key ( 'smtpserver', 'auth_module', 'virtusertable', 'mailspooldir', 'homedirspoolname', 'homedirfolderdirname', ==================================================================