vpopmail-CGIApps is a qmail-vpopmail domain administrator and vpopmail password changer CGI application written in Python. By providing a special crafted data in the domain form field (typing ";" in there), the script executes os.system() function, adds the domains and then executes the command after the ";".
Impact:
An attacker can execute arbitrary code as the setuid user of the script (normally vpopmail), giving him the possibility to add/modify and delete accounts/domains from the database, add and edit system files, etc.
This can lead to complete e-mail server compromise.
Exploit: vadddomain:
In "domini" field, put: "; echo 'test' > /tmp/vpoptest" When you send the form, a new file in /tmp will be created.
vpasswd:
Put a valid username/password in the first part of the form. Then, in "new password" field, put: "; echo 'test' > /tmp/vpoptest". Repeat that string on the confirm password field. When you send the form a new file in /tmp will be created.
Temporary workaround:
Before the os.system() method is called:
string.replace(domini, ";", "") or string.replace(direc, ";", "") (Depending on the application, vadddomain or vpasswd, respecitively)
string.replace(passx, ";", "")
os.system('/usr/bin/sudo -u root /home/vpopmail/bin/vpasswd' +" "+ direc + " "+ passx)
(NOTE: This is insufficient to address other issues present in this product).
