Threat level definition
Search:
Home
Bugtraq
Vulnerabilities
Mailing Lists
Jobs
Tools
Beta Programs
News
Infocus
Foundations
Microsoft
Unix
IDS
Incidents
Virus
Pen-Test
Firewalls
Columnists
Mailing Lists
Newsletters
Bugtraq
Focus on IDS
Focus on Linux
Focus on Microsoft
Forensics
Pen-test
Security Basics
Vuln Dev
Vulnerabilities
Jobs
Job Opportunities
Resumes
Job Seekers
Employers
Tools
RSS
News
Vulns
Security Research
BugTraq
Back to list
|
Post reply
ssmtp insecure file creation
Apr 18 2004 07:12PM
priestmaster sms at
Hi,
ssmtp 2.50.6 create a logfile /tmp/ssmtp.log. The data in this logfile
is user specified. It's possible to overwrite any file with
the permissons of the ssmtp program (normally root). The
vulnerable call is in log_event. log_event vulnerable call:
#ifdef LOGFILE
if((fp = fopen("/tmp/ssmtp.log", "a")) != (FILE *)NULL) {
(void)fprintf(fp, "%s\\n", buf);
(void)fclose(fp);
I think, that all versions of ssmtp are vulnerable to this bug.
Have a nice day,
priest (at) priestmaster (dot) org [email concealed]
http://www.priestmaster.org
--
Ein Service von http://www.sms.at
[ reply ]
Privacy Statement
Copyright 2009, SecurityFocus
ssmtp 2.50.6 create a logfile /tmp/ssmtp.log. The data in this logfile
is user specified. It's possible to overwrite any file with
the permissons of the ssmtp program (normally root). The
vulnerable call is in log_event. log_event vulnerable call:
#ifdef LOGFILE
if((fp = fopen("/tmp/ssmtp.log", "a")) != (FILE *)NULL) {
(void)fprintf(fp, "%s\\n", buf);
(void)fclose(fp);
I think, that all versions of ssmtp are vulnerable to this bug.
Have a nice day,
priest (at) priestmaster (dot) org [email concealed]
http://www.priestmaster.org
--
Ein Service von http://www.sms.at
[ reply ]