| VID |
21214 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The "mmstdod.cgi" cgi is installed. MailMan is a product by Endymion corporation that provides a web based interface to email via POP3 and SMTP. MailMan is very popular due to its amazingly easy setup and operation.
Anyway, A security flaw exsits in "mmstdod.cgi" cgi of all 3.x versions of MailMan Webmail below 3.0.26. The code contains several insecure calls to open() containing user specified data. These calls can be used to execute arbitrary commands with the privileges of the http daemon (root or nobody).
* References:
http://www.securityfocus.com/bid/2063
http://www.iss.net/security_center/static/5649.php |
| Recommendation |
Upgrade to the latest version of MailMan (3.0.26) at the reference site. |
| Related URL |
CVE-2001-0021 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
