Gentoo Logo

Ingo H3: Folder name shell command injection

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200611-22 / horde-ingo
Release Date November 27, 2006
Latest Revision November 27, 2006: 01
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
www-apps/horde-ingo < 1.1.2 >= 1.1.2 All supported architectures

Related bugreports: #153927

Synopsis

Ingo H3 is vulnerable to arbitrary shell command execution when handling procmail rules.

2.  Impact Information

Background

Ingo H3 is a generic frontend for editing Sieve, procmail, maildrop and IMAP filter rules.

Description

Ingo H3 fails to properly escape shell metacharacters in procmail rules.

Impact

A remote authenticated attacker could craft a malicious rule which could lead to the execution of arbitrary shell commands on the server.

3.  Resolution Information

Workaround

Don't use procmail with Ingo H3.

Resolution

All Ingo H3 users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/horde-ingo-1.1.2"

4.  References



Print

Page updated November 27, 2006

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.