W3Mail Remote Arbitrary Command Execution Vulnerability

W3Mail Remote Arbitrary Command Execution Vulnerability

W3Mail is a full featured open source web mail application implemented as a collection of Perl scripts that runs on Linux and Unix systems. It includes support for sending mail.

When sending email, values passed as script parameters are used as part of a shell command. Shell meta characters are not properly filtered from this input. A maliciously formed URL submitted to the script could contain additional shell commands, which would then be executed by the web server user (generally 'nobody'). As a result, an attacker may execute arbitrary code on the vulnerable server.

Earlier versions of W3Mail may also be vulnerable.