Special chracters are not masked in commands passed to sh from logwatch. This became obvious when a log file named log.3836jai)xoh) was created on our system by a Samba user maliciously logging in as 3836jai)xoh).
This broke logwatch:
sh: -c: line 0: syntax error near unexpected token `)'
sh: -c: line 0: `cat /var/log/samba/log. 4023 /var/log/sa ................
Obviously this also allows for remote command execution with root privileges, for that matter .... what about logging in as "; rm -rf /" ?
Log in to post a comment.