Lam3rZ Security Advisory #3/2004 23 Feb 2004 Remote command execution in Confirm Name: Confirm <=0.62 Severity: High Software URL: http://freshmeat.net/projects/confirm/ Software author: David Lechnyr <davidrl/at/comcast/dot/net> Advisory author: Mariusz Woloszyn <emsi/AT/GTS/dot/PL> Vendor notified: Feb 6, 2004 Vendor confirmed: Feb 6, 2004 Vendor fix: Feb 9, 2004 Impact: ------- Confirm is a simple procmail script that uses a pattern-matching auto-whitelist to help identify unsolicited email. A forged email headers may lead to a remote command execution under users (or even root, if root uses confirm) privileges. Description: ------------ Due to insufficient user supplied data filtering, emails containing special characters, like ",`,|,;,$ and so on in headers may trick confirm and lead to command execution. How to patch: ------------- Install confirm-0.70 from: http://hr.uoregon.edu/davidrl/confirm/confirm-0.70.tgz Please note, that significant changes has happened since previous version!!! Regards, -- Mariusz Wołoszyn Internet Security Specialist, GTS - Internet Partners
