Hylafax Mailing List Archives

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

hylafax security hole in faxcron, xferstats and recvstats



Hi,

faxcron, xferstats and recvstats as they are installed with 
hylafax-v4.0pl2 can be used to execute arbitary awk programs
as the invoking user. All three programs are usually run by 
cron on behalf of the fax user (aka uucp).

faxcron, xferstats and recvstats which are all Bourne Shell scripts
create temporary files in /tmp which are later executed by awk. The 
names of these temp files can easily be guessed. Any awk code that is 
found in a correct guess (and can not be overwritten) will be run 
verbatim.

There are several other files created in /tmp with such a weak
naming sheme. All these files can be used by an attacker to let 
uucp (or any other user running one of those scripts) overwrite 
any file he has permission to write to (by creating symlinks).

Disableing those scripts completely should not break hylafax 
serivces. You'll only miss those nice reports.

By the way: at least recvstats and xferstats aren't Y2k compilant yet.

Greetings,
tobias



Home
Report any problems to webmaster@hylafax.org

HylaFAX is a trademark of Silicon Graphics Corporation.
Internet connectivity for hylafax.org is provided by:
VirtuALL Private Host Services