GLSA-200611-22 : Ingo H3: Folder name shell command injection
Medium Nessus Plugin ID 23730
SynopsisThe remote Gentoo host is missing one or more security-related patches.
DescriptionThe remote host is affected by the vulnerability described in GLSA-200611-22 (Ingo H3: Folder name shell command injection)
Ingo H3 fails to properly escape shell metacharacters in procmail rules.
A remote authenticated attacker could craft a malicious rule which could lead to the execution of arbitrary shell commands on the server.
Don't use procmail with Ingo H3.
SolutionAll Ingo H3 users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=www-apps/horde-ingo-1.1.2'