TITLE: HylaFAX Authentication Bypass and Command Insertion Vulnerabilities SECUNIA ADVISORY ID: SA18314 VERIFY ADVISORY: http://secunia.com/advisories/18314/ CRITICAL: Moderately critical IMPACT: Security Bypass, System access WHERE: >From remote SOFTWARE: HylaFAX 4.x http://secunia.com/product/2528/ DESCRIPTION: Some vulnerabilities have been reported HylaFAX, which can be exploited by malicious people to bypass certain security restrictions and by malicious users to compromise a vulnerable system. 1) An unspecified error exists in "hfaxd" when compiled with PAM support disabled. This may be exploited to login using any password. The vulnerability has been reported in version 4.2.3. 2) The "notify" script does not properly sanitise user's input before using it. This can be exploited by malicious users to execute arbitrary commands on a vulnerable system. Successful exploitation requires that the malicious user is able to submit faxes to the server. The vulnerability has been reported in versions 4.2.0 through 4.2.3. 3) The "faxrcvd" script does not properly sanitise user's input before using it. This can be exploited by malicious users to execute arbitrary commands on a vulnerable system. Successful exploitation requires that CallID (CIDName/CIDNumber) is configured on the server and the attacker is able to submit non alphanumeric characters as CallID data to the server. The vulnerability has been reported in version 4.2.2 and 4.2.3. SOLUTION: Update to version 4.2.4. ftp://ftp.hylafax.org/source/hylafax-4.2.4.tar.gz PROVIDED AND/OR DISCOVERED BY: 1) Dileep 2-3) Patrice Fournier, iFAX Solutions, Inc. ORIGINAL ADVISORY: http://www.hylafax.org/content/HylaFAX_4.2.4_release http://bugs.hylafax.org/bugzilla/show_bug.cgi?id=682 http://bugs.hylafax.org/bugzilla/show_bug.cgi?id=719 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------