V-webmail is prone to a
remote file-inclusion vulnerability. This issue is due to a failure in
the application to properly sanitize user-supplied input.
This helps an attacker to compromise the application and the
underlying system.
V-webmail is a powerful PHP based webmail
application with an abundance of features like Multiple Identities,
Search facility, Full support for attachments and includes many
innovative
ideas for web applications. An input validation flaw has been reported
in V-webmail, which is exploited by remote attackers to execute
arbitrary code with the privileges of the web server.
The version of V-webmail installed on the remote host fails to
sanitize input to the ''CONFIG[pear_dir]'' parameter before using it in
a PHP include() function in the ''includes/mailaccess/pop3.php''
& ''includes/mailaccess/core.php''
script.
This is provided PHP's 'register_globals' setting is enabled and that
the
"includes" directory is placed inside the web root.
This flaw allows remote user to create a specially-crafted URL to run
arbitrary PHP code from a remote location. The PHP code, including
operating system commands, will run with the privileges of the target
web service.
