Topic:          remote user can execute any program with apache

Announced:      2004-01-27
Credits:	Ken Girrard <kgirrard.AT.users.sourceforge.net> 

Affects:        all versions between 20031008 and 20040127
Corrected:      openwebmail versions after 2.30 20040127

Patches:        http://openwebmail.org/openwebmail/download/cert/patches/SA-04:01/
                http://turtle.ee.ncku.edu.tw/openwebmail/download/cert/patches/SA-04:01/

I.   Background

     userstat.pl is a script designed for static web pages to query the user mail 
     and calendar status in Open WebMail.

II.  Problem Description

     userstat.pl accepted parameter as the userid without strict checking. It 
     could be exploited to invoke any program on the server with apache privilege.
     This is a very serious vulnerability and should be taken seriously.

III. Impact

     Remote user can execute any program on the openwebmail server with apache.
     
IV.  Workaround

     The userstat.pl is not used by the Open WebMail runtime system, 
     the sysadm can simply remove it.

V.   Solution

     A. upgrade to the latest openwebmail-current.tar.gz

     B. or apply the patch in

     http://openwebmail.org/openwebmail/download/cert/patches/SA-04:01/
     http://turtle.ee.ncku.edu.tw/openwebmail/download/cert/patches/SA-04:01/