Topic: Loginned user can execute arbitrary command on the server Announced: 2005-05-02 Credits: Matej Vela Affects: all versions before 20050430 Corrected: openwebmail versions after 2.51 20050430 I. Background The open(F, $filename) statement in perl will treat some characters in $filename as shell escape sequence, which causes the sub string in $filename being executed as external command II. Problem Description Several vulnerabilities have been discovered in OWM due to missing validation of CGI parameters supplied as filename III. Impact When correctly exploited, a loginned user can execute arbitrary command on the server with privilege of his own uid IV. Workaround No. V. Solution upgrade to the latest openwebmail-current.tar.gz