+ "details": "### Summary\n\n`exec_cmd()` in `modoboa/lib/sysutils.py` always runs subprocess calls with `shell=True`. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacters in a domain name to run arbitrary OS commands on the server.\n\n### Details\n\nThe root cause is in `modoboa/lib/sysutils.py:31`:\n\n```python\nkwargs[\"shell\"] = True\nprocess = subprocess.Popen(cmd, **kwargs)\n```\n\nWhen a create a domain is created with DKIM enabled, the domain name gets embedded into a shell command like this:\n\n```python\nexec_cmd(f\"openssl genrsa -out {dkim_storage_dir}/{domain.name}.pem {key_size}\")\n```\n\nIf the domain name contains something like `$(id>/tmp/proof).example.com`, the shell executes the injected command before running openssl.\n\nThe same pattern appears in several other places:\n\n- `modoboa/admin/jobs.py:38` — mailbox rename via `mv` using `full_address`\n- `modoboa/amavis/lib.py:202` — `sa-learn` using `domain.name`\n- `modoboa/admin/models/mailbox.py:150` — `doveadm user` using `full_address`\n- `modoboa/maillog/graphics.py:105–107` — `rrdtool` using `domain.name`\n- `modoboa/webmail/models.py:54–57` — `doveadm move/delete` using `account.email`\n\n### PoC\n\n1. Deploy modoboa <= 2.7.0\n2. Log in as a Reseller or SuperAdmin\n3. Create a new domain named `$(id>/tmp/proof).example.com` with DKIM enabled\n4. SSH into the server and read `/tmp/proof`\n\nSomething like this will be displayed:\n\n```\nuid=0(root) gid=0(root) groups=0(root)\n```\n\nConfirmed on commit b521bcb4f (latest main at time of discovery).\n\n### Impact\n\nAn attacker with Reseller-level access (or higher) can execute arbitrary OS commands on the mail server — in a typical Modoboa deployment this means running as root. All six identified sinks are reachable through normal application workflows.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments