Endymion MailMan Webmail 3.x Insecure open() Vulnerability

vendor:

MailMan Webmail

by:

SecurityFocus

7,5

CVSS

HIGH

Insecure open() Vulnerability

CWE

Product Name: MailMan Webmail

Affected Version From: 3.x

Affected Version To: 3.0.25

Patch Exists: YES

Related CWE: N/A

CPE: endymion.mailman.webmail

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2002

Endymion MailMan Webmail 3.x Insecure open() Vulnerability

A vulnerability exists in 3.x versions of Endymion MailMan Webmail prior to release 3.0.26. The widely-used Perl script provides a web-email interface. Affected versions make insecure use of the perl open() function. Attackers can control the way open() is supposed to work and execute arbitrary commands. These commands will be executed with the privilege level of the CGI script (commonly user 'nobody'). This vulnerability may allow remote attackers to gain interactive 'local' access on the target server. This will execute and echo back the uid.

Mitigation:

Upgrade to version 3.0.26 or later.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/2063/info


A vulnerability exists in 3.x versions of Endymion MailMan Webmail prior to release 3.0.26.

The widely-used Perl script provides a web-email interface.

Affected versions make insecure use of the perl open() function. Attackers can control the way open() is supposed to work and execute arbitrary commands.

These commands will be executed with the privilege level of the CGI script (commonly user 'nobody'). This vulnerability may allow remote attackers to gain interactive 'local' access on the target server. 

This will execute and echo back the uid.

/mmstdod.cgi?ALTERNATE_TEMPLATES=|%20echo%20"Content-Type:%20text%2Fhtml"%3Becho%20""%20%3B%20id%00