First published: Thu Nov 06 2008(Updated: )
** DISPUTED ** postfix_groups.pl in Postfix 2.5.2 allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/postfix_groups.stdout, (2) /tmp/postfix_groups.stderr, and (3) /tmp/postfix_groups.message temporary files. NOTE: the vendor disputes this vulnerability, stating "This is not a real issue ... users would have to edit a script under /usr/lib to enable it."
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Plone | =2.5.2 | |
Postfix | =2.5.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2008-4977 is disputed by the vendor, so its severity level is unclear but it involves local file overwrite risks.
To mitigate CVE-2008-4977, ensure that Postfix is updated to a version higher than 2.5.2 and check for symlink protections.
CVE-2008-4977 affects users of Postfix version 2.5.2 on systems where local users can create symlinks.
CVE-2008-4977 exploits a symlink attack via temporary files created by postfix_groups.pl.
Using Postfix version 2.5.2 is not recommended due to potential risks associated with CVE-2008-4977.