HylaFAX hfaxd -q Command Line Format String

2001-04-12T00:00:00
ID OSVDB:5679
Type osvdb
Reporter Marcin Dawcewicz(miv@gnu.org.pl)
Modified 2001-04-12T00:00:00

Description

Vulnerability Description

HylaFax contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when user input is supplied to the hfaxd binary and syslog() is called. By default, the hfaxd binary is installed setuid root with 'Everyone' access. This flaw may lead to a loss of confidentiality and integrity.

Solution Description

Upgrade to version 4.1.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

HylaFax contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when user input is supplied to the hfaxd binary and syslog() is called. By default, the hfaxd binary is installed setuid root with 'Everyone' access. This flaw may lead to a loss of confidentiality and integrity.

References:

Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-04/0191.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-04/0189.html ISS X-Force ID: 6377 CVE-2001-0387 Bugtraq ID: 2574