TITLE:
HylaFAX Authentication Bypass and Command Insertion Vulnerabilities

SECUNIA ADVISORY ID:
SA18314

VERIFY ADVISORY:
http://secunia.com/advisories/18314/

CRITICAL:
Moderately critical

IMPACT:
Security Bypass, System access

WHERE:
>From remote

SOFTWARE:
HylaFAX 4.x
http://secunia.com/product/2528/

DESCRIPTION:
Some vulnerabilities have been reported HylaFAX, which can be
exploited by malicious people to bypass certain security restrictions
and by malicious users to compromise a vulnerable system.

1) An unspecified error exists in "hfaxd" when compiled with PAM
support disabled. This may be exploited to login using any password.

The vulnerability has been reported in version 4.2.3.

2) The "notify" script does not properly sanitise user's input before
using it. This can be exploited by malicious users to execute
arbitrary commands on a vulnerable system.

Successful exploitation requires that the malicious user is able to
submit faxes to the server.

The vulnerability has been reported in versions 4.2.0 through 4.2.3.


3) The "faxrcvd" script does not properly sanitise user's input
before using it. This can be exploited by malicious users to execute
arbitrary commands on a vulnerable system. 

Successful exploitation requires that CallID (CIDName/CIDNumber) is
configured on the server and the attacker is able to submit non
alphanumeric characters as CallID data to the server.

The vulnerability has been reported in version 4.2.2 and 4.2.3.

SOLUTION:
Update to version 4.2.4.
ftp://ftp.hylafax.org/source/hylafax-4.2.4.tar.gz

PROVIDED AND/OR DISCOVERED BY:
1) Dileep
2-3) Patrice Fournier, iFAX Solutions, Inc.

ORIGINAL ADVISORY:
http://www.hylafax.org/content/HylaFAX_4.2.4_release
http://bugs.hylafax.org/bugzilla/show_bug.cgi?id=682
http://bugs.hylafax.org/bugzilla/show_bug.cgi?id=719

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------