| Summary: | CVE-2011-0456 otrs: arbitrary command execution flaw | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | vanmeeuwen+fedora |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-01-29 17:50:48 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | 635847 | ||
| Bug Blocks: | |||
|
Description
Vincent Danen
2011-03-17 20:27:55 UTC
Kurt Seifried pointed out the following commit, that is also relevant to 2.1.7:
diff -ru otrs-2.3.4/scripts/webform.pl otrs-2.3.5/scripts/webform.pl
--- otrs-2.3.4/scripts/webform.pl 2008-04-24 11:32:15.000000000 -0600
+++ otrs-2.3.5/scripts/webform.pl 2009-02-20 04:49:40.000000000 -0700
@@ -241,13 +261,15 @@
push @Mail, "\n";
# send mail
- $Param{From} =~ s/"|;|'|<|>|\|| //ig;
- if ( open( MAIL, "|$Sendmail $Param{From} " ) ) {
- print MAIL @Mail;
- close(MAIL);
+ my $FromEmail = $Param{FromEmail};
+ $FromEmail =~ s/"|;|'|<|>|\||\s|\r|\n|\t|`//ig;
+ $FromEmail = quotemeta $FromEmail;
+ if ( open( my $Mail, '|-', "$Sendmail $FromEmail" ) ) {
+ print $Mail @Mail;
+ close $Mail;
I suspect this is the problem right here.
OTRS has been removed from EPEL5, so this flaw no longer affects anything currently shipped. |