ssmtp insecure file creation Apr 18 2004 07:12PM
priestmaster sms at

ssmtp 2.50.6 create a logfile /tmp/ssmtp.log. The data in this logfile
is user specified. It's possible to overwrite any file with
the permissons of the ssmtp program (normally root). The
vulnerable call is in log_event. log_event vulnerable call:

#ifdef LOGFILE
if((fp = fopen("/tmp/ssmtp.log", "a")) != (FILE *)NULL) {
(void)fprintf(fp, "%s\\n", buf);

I think, that all versions of ssmtp are vulnerable to this bug.

Have a nice day,

priest (at) priestmaster (dot) org [email concealed]

Ein Service von http://www.sms.at

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus