Overview
» IDS/IPS Signatures
Security Sites
Products
White Papers
Data Sheets
Case Studies
Support Login
Locate a Partner
iPolicy Networks Security Advisory
 

V-webmail File Inclusion Vulnerability
Date Discovered: 05/30/2006
Severity: High
Applications Affected V-Webmail 1.6.4 and prior
Synopsis
V-webmail is prone to a remote file-inclusion vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input. This helps an attacker to compromise the application and the underlying system.
Recommended Actions
Update or install patch version of an application if issued by vendor:
http://www.v-webmail.org/download.html
Threat Analysis
V-webmail is a powerful PHP based webmail application with an abundance of features like Multiple Identities, Search facility, Full support for attachments and includes many innovative ideas for web applications. An input validation flaw has been reported in V-webmail, which is exploited by remote attackers to execute arbitrary code with the privileges of the web server.
The version of V-webmail installed on the remote host fails to sanitize input to the ''CONFIG[pear_dir]'' parameter before using it in a PHP include() function in the ''includes/mailaccess/pop3.php'' & ''includes/mailaccess/core.php'' script. This is provided PHP's 'register_globals' setting is enabled and that the "includes" directory is placed inside the web root.
This flaw allows remote user to create a specially-crafted URL to run arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.
References

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-2665
http://secunia.com/advisories/20297

Write-up by: Anshul Gupta
Security Sites
 
“iPolicy is one of the most visionary firewall vendors in the firewall Magic Quadrant. Its architecture of a central session processing engine and multiple content blades that are able to block based on signatures, rules and so on is the closest to the network security ideal.”
 
Greg Young, John Pescatore
Magic Quadrant for Network Firewalls, 2H04, Gartner
 

 
Home | About Us | Products | Technology | Solutions | Support | Partners | News & Events | Resources | Contact Us
Copyright ©2009 iPolicy Networks - Security Products Division of Tech Mahindra Limited | Privacy Policy | Site Map