Endymion MailMan Remote Arbitrary Command Execution Vulnerability
BID:2063
Info
Endymion MailMan Remote Arbitrary Command Execution Vulnerability
| Bugtraq ID: | 2063 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Unknown |
| Local: | Yes |
| Published: | Dec 06 2000 12:00AM |
| Updated: | Dec 06 2000 12:00AM |
| Credit: | Reported to Bugtraq by "Secure Reality Advisories" <[email protected]> on Wed, 6 Dec 2000. |
| Vulnerable: |
Endymion MailMan WebMail 3.0.25 Endymion MailMan WebMail 3.0.24 Endymion MailMan WebMail 3.0.23 Endymion MailMan WebMail 3.0.22 Endymion MailMan WebMail 3.0.21 Endymion MailMan WebMail 3.0.20 Endymion MailMan WebMail 3.0.19 Endymion MailMan WebMail 3.0.18 Endymion MailMan WebMail 3.0.16 Endymion MailMan WebMail 3.0.15 Endymion MailMan WebMail 3.0.14 Endymion MailMan WebMail 3.0.13 Endymion MailMan WebMail 3.0.12 Endymion MailMan WebMail 3.0.11 Endymion MailMan WebMail 3.0.10 Endymion MailMan WebMail 3.0.1 Endymion MailMan WebMail 3.0 |
| Not Vulnerable: |
Endymion MailMan WebMail 3.0.26 |
Discussion
Endymion MailMan Remote Arbitrary Command Execution Vulnerability
A vulnerability exists in 3.x versions of Endymion MailMan Webmail prior to release 3.0.26.
The widely-used Perl script provides a web-email interface.
Affected versions make insecure use of the perl open() function. Attackers can control the way open() is supposed to work and execute arbitrary commands.
These commands will be executed with the privilege level of the CGI script (commonly user 'nobody'). This vulnerability may allow remote attackers to gain interactive 'local' access on the target server.
A vulnerability exists in 3.x versions of Endymion MailMan Webmail prior to release 3.0.26.
The widely-used Perl script provides a web-email interface.
Affected versions make insecure use of the perl open() function. Attackers can control the way open() is supposed to work and execute arbitrary commands.
These commands will be executed with the privilege level of the CGI script (commonly user 'nobody'). This vulnerability may allow remote attackers to gain interactive 'local' access on the target server.
Exploit / POC
Endymion MailMan Remote Arbitrary Command Execution Vulnerability
Seth Georgion <[email protected]> provided the following exploit URL:
This will execute and echo back the uid.
/mmstdod.cgi?ALTERNATE_TEMPLATES=|%20echo%20"Content-Type:%20text%2Fhtml"%3Becho%20""%20%3B%20id%00
Seth Georgion <[email protected]> provided the following exploit URL:
This will execute and echo back the uid.
/mmstdod.cgi?ALTERNATE_TEMPLATES=|%20echo%20"Content-Type:%20text%2Fhtml"%3Becho%20""%20%3B%20id%00
Solution / Fix
Endymion MailMan Remote Arbitrary Command Execution Vulnerability
Solution:
Upgrades available:
Endymion MailMan WebMail 3.0.20
Endymion MailMan WebMail 3.0.21
Endymion MailMan WebMail 3.0.22
Endymion MailMan WebMail 3.0.23
Endymion MailMan WebMail 3.0.24
Endymion MailMan WebMail 3.0.25
Solution:
Upgrades available:
Endymion MailMan WebMail 3.0.20
-
Endymion UNIX Professional 3.0.27 mmprool.tgz
http://endymion.com/products/mailman/update/mmprool.tgz -
Endymion UNIX Standard Edition 3.0.27 mmstdol.tgz
http://endymion.com/products/mailman/update/mmstdol.tgz -
Endymion Windows Professional 3.0.27 mmprool.zip
http://endymion.com/products/mailman/update/mmprool.zip -
Endymion Windows Standard 3.0.27 mmstdol.zip
http://endymion.com/products/mailman/update/mmstdol.zip
Endymion MailMan WebMail 3.0.21
-
Endymion UNIX Professional 3.0.27 mmprool.tgz
http://endymion.com/products/mailman/update/mmprool.tgz -
Endymion UNIX Standard Edition 3.0.27 mmstdol.tgz
http://endymion.com/products/mailman/update/mmstdol.tgz -
Endymion Windows Professional 3.0.27 mmprool.zip
http://endymion.com/products/mailman/update/mmprool.zip -
Endymion Windows Standard 3.0.27 mmstdol.zip
http://endymion.com/products/mailman/update/mmstdol.zip
Endymion MailMan WebMail 3.0.22
-
Endymion UNIX Professional 3.0.27 mmprool.tgz
http://endymion.com/products/mailman/update/mmprool.tgz -
Endymion UNIX Standard Edition 3.0.27 mmstdol.tgz
http://endymion.com/products/mailman/update/mmstdol.tgz -
Endymion Windows Professional 3.0.27 mmprool.zip
http://endymion.com/products/mailman/update/mmprool.zip -
Endymion Windows Standard 3.0.27 mmstdol.zip
http://endymion.com/products/mailman/update/mmstdol.zip
Endymion MailMan WebMail 3.0.23
-
Endymion UNIX Professional 3.0.27 mmprool.tgz
http://endymion.com/products/mailman/update/mmprool.tgz -
Endymion UNIX Standard Edition 3.0.27 mmstdol.tgz
http://endymion.com/products/mailman/update/mmstdol.tgz -
Endymion Windows Professional 3.0.27 mmprool.zip
http://endymion.com/products/mailman/update/mmprool.zip -
Endymion Windows Standard 3.0.27 mmstdol.zip
http://endymion.com/products/mailman/update/mmstdol.zip
Endymion MailMan WebMail 3.0.24
-
Endymion UNIX Professional 3.0.27 mmprool.tgz
http://endymion.com/products/mailman/update/mmprool.tgz -
Endymion UNIX Standard Edition 3.0.27 mmstdol.tgz
http://endymion.com/products/mailman/update/mmstdol.tgz -
Endymion Windows Professional 3.0.27 mmprool.zip
http://endymion.com/products/mailman/update/mmprool.zip -
Endymion Windows Standard 3.0.27 mmstdol.zip
http://endymion.com/products/mailman/update/mmstdol.zip
Endymion MailMan WebMail 3.0.25
-
Endymion UNIX Professional 3.0.27 mmprool.tgz
http://endymion.com/products/mailman/update/mmprool.tgz -
Endymion UNIX Standard Edition 3.0.27 mmstdol.tgz
http://endymion.com/products/mailman/update/mmstdol.tgz -
Endymion Windows Professional 3.0.27 mmprool.zip
http://endymion.com/products/mailman/update/mmprool.zip -
Endymion Windows Standard 3.0.27 mmstdol.zip
http://endymion.com/products/mailman/update/mmstdol.zip
References
Endymion MailMan Remote Arbitrary Command Execution Vulnerability
References:
References: