Metamail Extcompose Program Symlink Vulnerability

It has been reported that Metamail extcompose program may be prone to a symbolic link vulnerability that may allow an attacker to corrupt or overwrite sensitive files. It has been reported that 'extcompose' writes output to a file specified by the user via the command line. The issue has been reported to present itself because the program creates files without verifying the existence of the specified files. A local user may leverage this condition to corrupt arbitrary files triggering a system wide denial of service or potentially elevating their system privileges.

Although unconfirmed, it has been reported that the 'extcompose.sigh' is also vulnerable to this issue.

Metamail 2.7 and prior may be prone to these issues.


Privacy Statement
Copyright 2010, SecurityFocus