vendor:
Pine
by:
milw0rm.com
7,2
CVSS
HIGH
Privilege Escalation
264
CWE
Product Name: Pine
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2000
Grab local pine messages
This exploit allows an attacker to gain access to a user's pine messages by creating a symbolic link between the user's pine temporary file and a file of the attacker's choice. The attacker can then view the user's pine messages by tailing the file they created.
Mitigation:
Ensure that users are not running pine with the settings 'enable-alternate-editor-cmd' and 'enable-alternate-editor-implicitly' enabled. Additionally, ensure that the editor setting is not set to '/usr/bin/vi'.