OS Command Injection In modoboa
Description
Modoboa has OS Command Injection
Summary
exec_cmd() in modoboa/lib/sysutils.py always runs subprocess calls with shell=True. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacters in a domain name to run arbitrary OS commands on the server.
Details
The root cause is in modoboa/lib/sysutils.py:31:
kwargs["shell"] = True process = subprocess.Popen(cmd, **kwargs)
When a create a domain is created with DKIM enabled, the domain name gets embedded into a shell command like this:
exec_cmd(f"openssl genrsa -out {dkim_storage_dir}/{domain.name}.pem {key_size}")
If the domain name contains something like $(id>/tmp/proof).example.com, the shell executes the injected command before running openssl.
The same pattern appears in several other places:
modoboa/admin/jobs.py:38 — mailbox rename via mv using full_address
modoboa/amavis/lib.py:202 — sa-learn using domain.name
modoboa/admin/models/mailbox.py:150 — doveadm user using full_address
modoboa/maillog/graphics.py:105–107 — rrdtool using domain.name
modoboa/webmail/models.py:54–57 — doveadm move/delete using account.email
PoC
Deploy modoboa <= 2.7.0
Log in as a Reseller or SuperAdmin
Create a new domain named $(id>/tmp/proof).example.com with DKIM enabled
SSH into the server and read /tmp/proof
Something like this will be displayed:
uid=0(root) gid=0(root) groups=0(root)
Confirmed on commit b521bcb4f (latest main at time of discovery).
Impact
An attacker with Reseller-level access (or higher) can execute arbitrary OS commands on the mail server — in a typical Modoboa deployment this means running as root. All six identified sinks are reachable through normal application workflows.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 pypi | modoboa | 2.7.1 |
Aliases