| VID |
21314 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Open WebMail program, according to its version number, has a Remote Arbitrary Command Execution Vulnerability via 'vacation.pl' script.
Open WebMail is an open-source Web mail program written in Perl for Unix-based operating systems. Several versions of Open WebMail allow a non-privileged user to remotely execute arbitrary commands, caused by improper checking the validation of user-supplied parameters to determine if the specified list file exists or not in the 'vacation.pl' script. By supplying a specially crafted file name, a remote attacker could cause an arbitrary command to execute with the privileges of the Web service on the affected system.
* Note: This check solely relied on the version number of the remote Open WebMail to assess this vulnerability, so this might be a false positive. If this version number was obtained from the file 'openwebmail.pl' and you applied the patch that released on June 29, 2004 and later, the alert for this vulnerability may ignore.
* References:
http://www.securitytracker.com/alerts/2004/Jun/1010605.html
http://openwebmail.org/openwebmail/download/cert/advisories/SA-04:04.txt
* Platforms Affected:
All versions prior to Open WebMail 2.32(2004-06-29)
Linux Any version |
| Recommendation |
Upgrade to the latest current version of Open WebMail 2.32 and apply the patch released on the June 29, 2004 from the Open WebMail Web site at http://openwebmail.org/openwebmail/download/cert/patches/SA-04:04/ |
| Related URL |
CVE-2004-2284 (CVE) |
| Related URL |
10637 (SecurityFocus) |
| Related URL |
16549 (ISS) |
|
