Debian Security Advisory DSA 933-1 - Patrice Fournier found that hylafax passes unsanitized user data in the notify script, allowing users with the ability to submit jobs to run arbitrary commands with the privileges of the hylafax server.
1f5fa099b5bf99d93d10fcbd8ea336aad6733df2dc6c93c4ea12c234a3bbbe87
HylaFAX version 4.2.3 hfaxd will allow any password when compiled with PAM support disabled. Also, the HylaFAX notify script passes unsanitised user-supplied data to eval, allowing remote attackers to execute arbitrary commands. The data needs to be part of a submitted job and as such, attackers must have access to submit faxes to the server in order to exploit this vulnerability. HylaFAX versions 4.2.0 up to 4.2.3 are vulnerable.
940f31d4b111f497cbe8343e2c0678d52d659fe18db5b413994ccf428256c276