FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2010-1132

This CVE name corresponds to:

Entered Topic
2010-05-06 spamass-milter -- remote command execution vulnerability

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

CVE-2010-1132 at cve.mitre.org

Details

Type Candidate
Name CVE-2010-1132
Phase Assigned(20100326)

Description

The mlfi_envrcpt function in spamass-milter.cpp in SpamAssassin Milter Plugin 0.3.1, when using the expand option, allows remote attackers to execute arbitrary system commands via shell metacharacters in the RCPT TO field of an email message.

References

Source Reference
FULLDISC 20100307 Spamassassin Milter Plugin Remote Root
EXPLOIT-DB 11662
CONFIRM http://bugs.debian.org/573228
CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=572117
CONFIRM https://savannah.nongnu.org/bugs/?29136
DEBIAN DSA-2021
FEDORA FEDORA-2010-5096
FEDORA FEDORA-2010-5112
FEDORA FEDORA-2010-5176
BID 38578
OSVDB 62809
SECTRACK 1023691
SECUNIA 38840
SECUNIA 38956
SECUNIA 39265
VUPEN ADV-2010-0559
VUPEN ADV-2010-0683
VUPEN ADV-2010-0837
XF spamassassin-expand-command-execution(56732)

Copyright © 2005 The MITRE Corporation.

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.