Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11734
HistoryMar 08, 2006 - 12:00 a.m.

[Full-disclosure] capi4hylafax insecure manipulation with tmp files

2006-03-0800:00:00
vulners.com
8
JSON

capi4hylafax suite (http://freshmeat.net/projects/capi4hylafax/ ) is
addon for hylafax fax server (http://www.hylafax.org/)

vulnerable:
capi4hylafax-01.03.00 /probably others/

in capi4hylafax-01.03.00/src/faxrecv/faxrecv.cpp :

#ifdef GENERATE_DEBUGSFFDATAFILE
dwarning (DebugSffDataFile == 0);
if (!DebugSffDataFile) {
DebugSffDataFile = fopen ("/tmp/c2faxrecv_dbgdatafile.sff", "w");
}
#endif

in

and in capi4hylafax-01.03.00/src/faxsend/faxsend.cpp :

#ifdef GENERATE_DEBUGSFFDATAFILE
dassert (DebugSffDataFile == 0);
DebugSffDataFile = fopen ("/tmp/c2faxsend_dbgdatafile.sff", "w");
#endif

vulnerable capi4hylafax-1.1a

in capi4hylafax-1.1a/src/standard/ExtFuncs.h :
#define DEBUG_FILE_NAME "/tmp/c2faxfcalls.log"

then in capi4hylafax-1.1a/src/standard/DbgFile.c:
unsigned DebugFileOpen (void) {
DebugFileClose();
hFile = fopen (DEBUG_FILE_NAME, "w");
return (hFile != 0);
}
<snip>
void DebugFilePrint (char *string) {
if (hFile) {
fprintf (hFile, string);
fflush (hFile);
}
printf (string);
}

impact:
a regular user of the system can create a symbolic link to file on which
hylafax has write access leading to overwriting of this file

!!! VENDOR IS NOT NOTIFIED !!!

Javor Ninov aka DrFrancky
drfrancky shift+2 securax.org

JSON