[Fwd: Re: [vchkpw] vpopmail <= 5.4.2 (sybase vulnerability) (fwd)] Aug 19 2004 05:25PM
Myron Davis (myrond linmail org)
Hash: SHA1

- ---------------------------- Original Message ----------------------------
Subject: Re: [vchkpw] vpopmail <= 5.4.2 (sybase vulnerability) (fwd) From:
"Tom Collins" <tom (at) tomlogic (dot) com [email concealed]>
Date: Thu, August 19, 2004 9:12 am
To: vchkpw (at) inter7 (dot) com [email concealed]
Cc: Jérôme ATHIAS <jerome.athias (at) caramail (dot) com [email concealed]>
- ------------------------------------------------------------------------

On Aug 19, 2004, at 7:37 AM, Chris Ess wrote:
> I don't know if this is even relevant anymore (i.e. has been fixed) but
this showed up on bugtraq yesterday. Figured I should pass it along,
> in case.
> Sincerely,
> Chris Ess
> System Administrator / CDTT (Certified Duct Tape Technician)
> ---------- Forwarded message ----------
> Date: 17 Aug 2004 10:44:52 -0000
> From: Jérôme ATHIAS <jerome.athias (at) caramail (dot) com [email concealed]>
> To: bugtraq (at) securityfocus (dot) com [email concealed]
> Subject: vpopmail <= 5.4.2 (sybase vulnerability)
> Bug: format string and buffer overflow (sybase)
> Product: vpopmail <= 5.4.2 (sybase vulnerability)
> Author: Werro [werro (at) list (dot) ru [email concealed]]
> Realease Date : 12/08/04
> Risk: Low
> Vendor status: Vendor is in a big shit :)
> Reference: http://web-hack.ru/unl0ck/advisories/
> Overview:
> vpopmail is a set of programs for creating and managing
> multiple virtual domains on a qmail server.
> Details:
> Bugs were founded in SyBase. In vsybase.c file.

Thanks for sending this. I started addressing the SQL injection
vulnerabilities last March with code that made it into the 5.5.0
development release. That code flowed into the 5.4.6 release on June
30th. I had marked that release as "development" instead of "stable",
but it's in use by many sites in production, so I'll switch it over to
"stable" today.

Vpopmail sites using any SQL backend (i.e., non-cdb sites) should upgrade
to the 5.4.6 release to close off the SQL injection
vulnerabilities in previous releases. The vulnerabilities made it
possible for a remote attacker to insert additional SQL commands into
data passed into POP/IMAP login, SMTP AUTH, or a QmailAdmin login.

The possible buffer overflow is in the code for adding a user, so it
would only be exploitable by an admin. Even so, I've fixed the problem
in CVS and the change will be in the next stable release. I've also
contacted the publisher of the original report (but have not posted a
followup to bugtraq since I'm not a subscriber).

- --
Tom Collins - tom (at) tomlogic (dot) com [email concealed]
QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/
Info on the Sniffter hand-held Network Tester: http://sniffter.com/

Version: GnuPG v1.2.5 (GNU/Linux)


[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus