Hylafax Mailing List Archives
|
[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
hylafax security hole in faxcron, xferstats and recvstats
Hi,
faxcron, xferstats and recvstats as they are installed with
hylafax-v4.0pl2 can be used to execute arbitary awk programs
as the invoking user. All three programs are usually run by
cron on behalf of the fax user (aka uucp).
faxcron, xferstats and recvstats which are all Bourne Shell scripts
create temporary files in /tmp which are later executed by awk. The
names of these temp files can easily be guessed. Any awk code that is
found in a correct guess (and can not be overwritten) will be run
verbatim.
There are several other files created in /tmp with such a weak
naming sheme. All these files can be used by an attacker to let
uucp (or any other user running one of those scripts) overwrite
any file he has permission to write to (by creating symlinks).
Disableing those scripts completely should not break hylafax
serivces. You'll only miss those nice reports.
By the way: at least recvstats and xferstats aren't Y2k compilant yet.
Greetings,
tobias