vpopmail-CGIApps 'vpasswd.cgi' Remote Command Execution Vulnerability

info
discussion
exploit
solution
references

vpopmail-CGIApps 'vpasswd.cgi' Remote Command Execution Vulnerability

A remote command execution vulnerability has been discovered in vpopmail-CGIApps v0.2.

Due to insufficient sanitization of user-supplied input in vpasswd.cgi, it is possible to pass malicious commands to the os.system() function.

Exploiting this issue allows a remote attacker to execute arbitrary system commands with the permissions of the web server.