|
|
OMail Webmail Remote Command Execution Vulnerability
Solution: The vendor has released an upgrade to address this issue. Fixes are linked below. Users who are affected by this vulnerability are advised to update as soon as possible. The following solution for this problem was provided, however Symantec has not verified the validity of this patch: --- omail-webmail-0.98.4/omail-old.pl 2001-08-26 08:35:27.000000000 -0400 +++ omail-webmail-0.98.4/omail.pl 2003-07-28 12:29:36.000000000 -0400 @@ -396,7 +396,7 @@ if (($vmailmgr || $vpopmail) && $cgi_mode eq "suid") { - if (!($userid =~ /(.*)\@(.*)/)) { + if (!($userid =~ /([A-Z,a-z,0-9]*)\@([\w\.]*)$/)) { omailerror("domain name is missing : format userid\@domain"); } else { $userid = $1; @@ -406,7 +406,7 @@ my $password = param("password"); - $password =~ /^(.+)$/; + $password =~ /^([^\"]+)$/; $password = $1; # 8 possible cases : OMail OMail webmail 0.97.3
OMail OMail webmail 0.98.3
|
|
Privacy Statement |