Gentoo Logo

Ingo H3: Folder name shell command injection


1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200611-22 / horde-ingo
Release Date November 27, 2006
Latest Revision November 27, 2006: 01
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
www-apps/horde-ingo < 1.1.2 >= 1.1.2 All supported architectures

Related bugreports: #153927


Ingo H3 is vulnerable to arbitrary shell command execution when handling procmail rules.

2.  Impact Information


Ingo H3 is a generic frontend for editing Sieve, procmail, maildrop and IMAP filter rules.


Ingo H3 fails to properly escape shell metacharacters in procmail rules.


A remote authenticated attacker could craft a malicious rule which could lead to the execution of arbitrary shell commands on the server.

3.  Resolution Information


Don't use procmail with Ingo H3.


All Ingo H3 users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/horde-ingo-1.1.2"

4.  References


Page updated November 27, 2006

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2015 Gentoo Foundation, Inc. Questions, Comments? Contact us.