Gentoo Logo

Ingo H3: Folder name shell command injection

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200611-22 / horde-ingo
Release Date November 27, 2006
Latest Revision November 27, 2006: 01
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
www-apps/horde-ingo < 1.1.2 >= 1.1.2 All supported architectures

Related bugreports: #153927

Synopsis

Ingo H3 is vulnerable to arbitrary shell command execution when handling procmail rules.

2.  Impact Information

Background

Ingo H3 is a generic frontend for editing Sieve, procmail, maildrop and IMAP filter rules.

Description

Ingo H3 fails to properly escape shell metacharacters in procmail rules.

Impact

A remote authenticated attacker could craft a malicious rule which could lead to the execution of arbitrary shell commands on the server.

3.  Resolution Information

Workaround

Don't use procmail with Ingo H3.

Resolution

All Ingo H3 users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/horde-ingo-1.1.2"

4.  References

Print

Updated November 27, 2006

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Support OSL

Support OSL

Gentoo Centric Hosting: vr.org

VR Hosted

Tek Alchemy

Tek Alchemy

SevenL.net

SevenL.net

Global Netoptex Inc.

Global Netoptex Inc.

Linux World Expo

Linux World Expo
Copyright 2001-2008 Gentoo Foundation, Inc. Questions, Comments? Contact us.