CVE-2003-1426
cPanel 5.0 - Local Arbitrary Code Execution via SCRIPT_FILENAME Environment Variable
Title source: llmDescription
Openwebmail in cPanel 5.0, when run using suid Perl, adds the directory in the SCRIPT_FILENAME environment variable to Perl's @INC include array, which allows local users to execute arbitrary code by modifying SCRIPT_FILENAME to reference a directory containing a malicious openwebmail-shared.pl executable.
References (3)
Core 3
Core References
Exploit vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/6885
Third Party Advisory mailing-list
x_refsource_vulnwatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0087.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/11357
Scores
EPSS
0.0007
EPSS Percentile
20.3%
Details
CWE
CWE-16
Status
published
Products (1)
cpanel/cpanel
5.0
Published
Dec 31, 2003
Tracked Since
Feb 18, 2026