Avi Alkalay notify from Variable Arbitrary Command Execution

2005-09-12T00:06:15
ID OSVDB:19521
Type osvdb
Reporter Sullo(sullo@cirt.net)
Modified 2005-09-12T00:06:15

Description

Vulnerability Description

notify contains a flaw that may allow a malicious user to execute arbitrary commands on the server. The issue is triggered when a semi-colon is entered into the 'from' variable as a seperator for arbitrary commands.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

notify contains a flaw that may allow a malicious user to execute arbitrary commands on the server. The issue is triggered when a semi-colon is entered into the 'from' variable as a seperator for arbitrary commands.

References:

Vendor URL: http://www.alkalay.net/software/ Secunia Advisory ID:16886 Related OSVDB ID: 19520 Related OSVDB ID: 19519 Related OSVDB ID: 19522 Related OSVDB ID: 19879 Other Advisory URL: http://www.cirt.net/advisories/alkalay.shtml CVE-2005-3095