Control: tags -1 + security
* Adam M. Costello , 2014-11-15, 20:47:
(su - nobody -s /bin/sh -c "$SENDMAIL $owner < $i" &) /dev/null 2>&0
Note that "$i" is a name of a file any user can create. This allows
executing arbitrary code as user "nobody".
PoC exploit:
$
Package: nvi
Version: 1.81.6-11+b1
Severity: important
Tags: patch
Dear Maintainer,
/etc/init.d/nviboot attempts to send mail about recovery from crashed
editor sessions, but the attempt fails due to a misplaced quote. This
line:
(su - nobody -s /bin/sh -c $SENDMAIL
2 matches
Mail list logo