Previously to this Werk an attacker who could control certain notification
variables such as NOTIFICATIONTYPE or HOSTNAME was able to
inject commands to the fall-back mail command. The commands were then executed
as site user.
With this werk the variable MAIL_COMMAND is no longer available in
You can reduce the risk of exploitation with disabling the listening of the
notification spooler (the default is disabled) (CEE/CME only feature).
All maintained versions (>=1.6) are subject to this vulnerability. It is likely
that also previous versions were vulnerable.
To detect possible exploitation var/log/mknotifyd.log and
var/log/notify.log can be checked for special shell characters like
&& and odd quoting.
Zur Liste aller Werks