> Product Name: vpopmail-CGIApps > Systems: Linux/OpenBSD/FreeBSD/NetBSD At first I thought this meant it was available from these *BSD package collections. But I guess this means that this applies to any system that supports os.system using a shell. Also the name of the program is vpasswd.cgi (not to be confused with different vpasswd). > .: Workaround > > Before the os.system() method is called: > > string.replace(direc, ";", "") > string.replace(passx, ";", "") Also, need to check for other shell operators, meta-characters, etc. > The vendor has released version 0.3 in response of this advisory. I see the fix has a partial fix. It doesn't check for `backtick` or $(rm whatever) etc. Also, it shouldn't just blindly replace with nothing and still run command, because it may still have unexpected results (so better to just error instead). Jeremy C. Reed http://bsd.reedmedia.net/
