| VID |
21306 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Open WebMail program, according to its version number, has a Remote Command Execution Vulnerability via a 'userstat.pl' script.
Open WebMail is an open-source Web mail program written in Perl for Unix-based operating systems. The versions 2.30 and earlier of Open WebMail could allow a remote attacker to execute arbitrary commands on a target host, caused by insufficient filtering of shell metacharacters in parameters that are passed to the 'userstat.pl' component. By supplying shell metacharacters in parameters, a remote attacker could execute arbitrary commands in the context of the web server on the target system remotely.
* Note: This check solely relied on the version number of the remote Open WebMail to assess this vulnerability, so this might be a false positive. If the version number was obtained from the file 'openwebmail.pl' and you applied the patch that released on January 27, 2004 and later, please ignore this alert.
* References:
http://secunia.com/advisories/11091/
* Platforms Affected:
Open WebMail 2.30(2004-01-17) and earlier
Linux Any version |
| Recommendation |
Upgrade to the latest current version (dated 16-June-2004 or later) of Open WebMail from the Open WebMail Web site at http://openwebmail.org . This issue is fixed in the Open WebMail 2.30 on the 2004-01-27. |
| Related URL |
(CVE) |
| Related URL |
10316 (SecurityFocus) |
| Related URL |
15444 (ISS) |
|
