Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

SpamAssassin spamd vpopmail Username Command Injection

Medium

Synopsis

The remote host is vulnerable to an arbitrary 'command insertion' flaw.

Description

The remote host is running SpamAssassin, an anti-spam software application that detects and blocks spam emails. Due to a content-parsing error, SpamAssassin can be tricked into executing arbitrary commands with the privileges of the SpamAssassin spamd process. Additionally, the remote version of SpamAssassin must be running with either '--vpopmail' or '--paranoid' enabled.

Solution

Upgrade or patch according to vendor recommendations.