IceWarp Web Mail 5.5.1, as used by Merak Mail Server 8.3.0r and VisNetic Mail Server version 8.3.0 build 1, does not properly restrict acceptable values for the language parameter to mail/settings.html before it is stored in a database, which can allow remote authenticated users to include arbitrary PHP code via a URL in a modified lang_settings parameter to mail/index.html.
{"id": "CVE-2005-4558", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2005-4558", "description": "IceWarp Web Mail 5.5.1, as used by Merak Mail Server 8.3.0r and VisNetic Mail Server version 8.3.0 build 1, does not properly restrict acceptable values for the language parameter to mail/settings.html before it is stored in a database, which can allow remote authenticated users to include arbitrary PHP code via a URL in a modified lang_settings parameter to mail/index.html.", "published": "2005-12-28T11:03:00", "modified": "2018-10-19T15:41:00", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.5}, "severity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": true, "userInteractionRequired": false}, "cvss3": {}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-4558", "reporter": "cve@mitre.org", "references": ["http://secunia.com/secunia_research/2005-62/advisory/", "http://www.securityfocus.com/bid/16069", "http://secunia.com/advisories/17046", "http://secunia.com/advisories/17865", "http://securitytracker.com/id?1015412", "http://www.osvdb.org/22080", "http://www.osvdb.org/22081", "http://marc.info/?l=full-disclosure&m=113570229524828&w=2", "https://exchange.xforce.ibmcloud.com/vulnerabilities/23904", "http://www.securityfocus.com/archive/1/420255/100/0/threaded"], "cvelist": ["CVE-2005-4558"], "immutableFields": [], "lastseen": "2022-03-23T12:54:17", "viewCount": 19, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-0818"]}, {"type": "nessus", "idList": ["VISNETIC_MAILSERVER_FLAWS.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:136141256231020346", "OPENVAS:20346"]}], "rev": 4}, "score": {"value": 5.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "nessus", "idList": ["VISNETIC_MAILSERVER_FLAWS.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:136141256231020346"]}]}, "exploitation": null, "vulnersScore": 5.3}, "_state": {"dependencies": 0, "score": 0}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": ["cpe:/a:merak:mail_server:8.3.0r", "cpe:/a:icewarp:web_mail:5.5.1", "cpe:/a:deerfield:visnetic_mail_server:8.3.0_build1"], "cpe23": ["cpe:2.3:a:deerfield:visnetic_mail_server:8.3.0_build1:*:*:*:*:*:*:*", "cpe:2.3:a:merak:mail_server:8.3.0r:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:web_mail:5.5.1:*:*:*:*:*:*:*"], "cwe": ["NVD-CWE-Other"], "affectedSoftware": [{"cpeName": "merak:mail_server", "version": "8.3.0r", "operator": "eq", "name": "merak mail server"}, {"cpeName": "deerfield:visnetic_mail_server", "version": "8.3.0_build1", "operator": "eq", "name": "deerfield visnetic mail server"}, {"cpeName": "icewarp:web_mail", "version": "5.5.1", "operator": "eq", "name": "icewarp web mail"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:merak:mail_server:8.3.0r:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:deerfield:visnetic_mail_server:8.3.0_build1:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:icewarp:web_mail:5.5.1:*:*:*:*:*:*:*", "cpe_name": []}]}]}, "extraReferences": [{"url": "http://secunia.com/secunia_research/2005-62/advisory/", "name": "http://secunia.com/secunia_research/2005-62/advisory/", "refsource": "MISC", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "http://www.securityfocus.com/bid/16069", "name": "16069", "refsource": "BID", "tags": ["Exploit"]}, {"url": "http://secunia.com/advisories/17046", "name": "17046", "refsource": "SECUNIA", "tags": ["Exploit", "Patch", "Vendor Advisory"]}, {"url": "http://secunia.com/advisories/17865", "name": "17865", "refsource": "SECUNIA", "tags": []}, {"url": "http://securitytracker.com/id?1015412", "name": "1015412", "refsource": "SECTRACK", "tags": []}, {"url": "http://www.osvdb.org/22080", "name": "22080", "refsource": "OSVDB", "tags": []}, {"url": "http://www.osvdb.org/22081", "name": "22081", "refsource": "OSVDB", "tags": []}, {"url": "http://marc.info/?l=full-disclosure&m=113570229524828&w=2", "name": "20051227 Secunia Research: IceWarp Web Mail Multiple File", "refsource": "FULLDISC", "tags": []}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/23904", "name": "visnetic-settings-file-include(23904)", "refsource": "XF", "tags": []}, {"url": "http://www.securityfocus.com/archive/1/420255/100/0/threaded", "name": "20051227 Secunia Research: IceWarp Web Mail Multiple File InclusionVulnerabilities", "refsource": "BUGTRAQ", "tags": []}]}
{"cve": [{"lastseen": "2022-03-23T14:20:54", "description": "Absolute path directory traversal vulnerability in (1) MERAK Mail Server for Windows 8.3.8r with before IceWarp Web Mail 5.6.1 and (2) VisNetic MailServer before 8.5.0.5 allows remote authenticated users to include arbitrary files via a modified language parameter and a full Windows or UNC pathname in the lang_settings parameter to mail/index.html, which is not properly sanitized by the validatefolder PHP function, possibly due to an incomplete fix for CVE-2005-4558.", "cvss3": {}, "published": "2006-07-21T14:03:00", "type": "cve", "title": "CVE-2006-0818", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-4558", "CVE-2006-0818"], "modified": "2018-10-18T16:29:00", "cpe": ["cpe:/a:merak:mail_server:8.3.8r", "cpe:/a:icewarp:web_mail:5.6.0", "cpe:/a:deerfield:visnetic_mail_server:8.3.5"], "id": "CVE-2006-0818", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0818", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:deerfield:visnetic_mail_server:8.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:web_mail:5.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:merak:mail_server:8.3.8r:*:windows:*:*:*:*:*"]}], "openvas": [{"lastseen": "2017-12-08T11:44:05", "description": "The remote webmail server is affected by multiple vulnerabilities \nwhich may allow an attacker to execute arbitrary commands on the remote\nhost.\n\nDescription:\n\nThe remote host is running VisNetic / Merak Mail Server, a\nmulti-featured mail server for Windows. \n\nThe webmail and webadmin services included in the remote version of\nthis software are prone to multiple flaws. An attacker could send\nspecially-crafted URLs to execute arbitrary scripts, perhaps taken\nfrom third-party hosts, or to disclose the content of files on the\nremote system.", "cvss3": {}, "published": "2006-03-26T00:00:00", "type": "openvas", "title": "VisNetic / Merak Mail Server multiple flaws", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2005-4559", "CVE-2005-4557", "CVE-2005-4558", "CVE-2005-4556"], "modified": "2017-12-07T00:00:00", "id": "OPENVAS:20346", "href": "http://plugins.openvas.org/nasl.php?oid=20346", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: visnetic_mailserver_flaws.nasl 8023 2017-12-07 08:36:26Z teissa $\n# Description: VisNetic / Merak Mail Server multiple flaws\n#\n# Authors:\n# David Maciejak <david dot maciejak at kyxar dot fr>\n#\n# Copyright:\n# Copyright (C) 2005 David Maciejak\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"The remote webmail server is affected by multiple vulnerabilities \nwhich may allow an attacker to execute arbitrary commands on the remote\nhost.\n\nDescription:\n\nThe remote host is running VisNetic / Merak Mail Server, a\nmulti-featured mail server for Windows. \n\nThe webmail and webadmin services included in the remote version of\nthis software are prone to multiple flaws. An attacker could send\nspecially-crafted URLs to execute arbitrary scripts, perhaps taken\nfrom third-party hosts, or to disclose the content of files on the\nremote system.\";\n\ntag_solution = \"Upgrade to Merak Mail Server 8.3.5.r / VisNetic Mail Server version\n8.3.5 or later.\";\n\n# Ref: Tan Chew Keong, Secunia Research\n\nif(description)\n{\n script_id(20346);\n script_version(\"$Revision: 8023 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-07 09:36:26 +0100 (Thu, 07 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2006-03-26 17:55:15 +0200 (Sun, 26 Mar 2006)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2005-4556\", \"CVE-2005-4557\", \"CVE-2005-4558\", \"CVE-2005-4559\");\n script_bugtraq_id(16069);\n \n name = \"VisNetic / Merak Mail Server multiple flaws\";\n script_name(name);\n \n \n \n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n \n script_copyright(\"This script is Copyright (C) 2005 David Maciejak\");\n family = \"Web application abuses\";\n script_family(family);\n script_dependencies(\"http_version.nasl\");\n script_require_ports(32000, \"Services/www\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_xref(name : \"URL\" , value : \"http://secunia.com/secunia_research/2005-62/advisory/\");\n script_xref(name : \"URL\" , value : \"http://www.deerfield.com/download/visnetic-mailserver/\");\n exit(0);\n}\n\n#\n# da code\n#\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nif ( !get_kb_item(\"Settings/disable_cgi_scanning\") )\n port = get_http_port(default:32000);\nelse\n port = 32000;\n\nif(!get_port_state(port))exit(0);\nif (!can_host_php(port:port)) exit(0);\n\n# nb: software is accessible through either \"/mail\" (default) or \"/\".\ndirs = make_list(\"/mail\", \"\");\nforeach dir (dirs) {\n req = http_get(item:string(dir, \"/accounts/inc/include.php?language=0&lang_settings[0][1]=http://xxxxxxxxxxxxxxx/openvas/\"), port:port);\n r = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);\n\n if(\"http://xxxxxxxxxxxxxxx/openvas/alang.html\" >< r)\n {\n security_message(port);\n exit(0);\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2020-05-08T08:39:56", "description": "The remote webmail server is affected by multiple vulnerabilities\n which may allow an attacker to execute arbitrary commands on the remote host.", "cvss3": {}, "published": "2006-03-26T00:00:00", "type": "openvas", "title": "VisNetic / Merak Mail Server multiple flaws", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2005-4559", "CVE-2005-4557", "CVE-2005-4558", "CVE-2005-4556"], "modified": "2020-05-05T00:00:00", "id": "OPENVAS:136141256231020346", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231020346", "sourceData": "# OpenVAS Vulnerability Test\n# Description: VisNetic / Merak Mail Server multiple flaws\n#\n# Authors:\n# David Maciejak <david dot maciejak at kyxar dot fr>\n#\n# Copyright:\n# Copyright (C) 2005 David Maciejak\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n# Ref: Tan Chew Keong, Secunia Research\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.20346\");\n script_version(\"2020-05-05T10:19:36+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-05 10:19:36 +0000 (Tue, 05 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2006-03-26 17:55:15 +0200 (Sun, 26 Mar 2006)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2005-4556\", \"CVE-2005-4557\", \"CVE-2005-4558\", \"CVE-2005-4559\");\n script_bugtraq_id(16069);\n script_name(\"VisNetic / Merak Mail Server multiple flaws\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2005 David Maciejak\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"httpver.nasl\", \"webmirror.nasl\", \"DDI_Directory_Scanner.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 32000);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/secunia_research/2005-62/advisory/\");\n script_xref(name:\"URL\", value:\"http://www.deerfield.com/download/visnetic-mailserver/\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Merak Mail Server 8.3.5.r / VisNetic Mail Server version\n 8.3.5 or later.\");\n\n script_tag(name:\"summary\", value:\"The remote webmail server is affected by multiple vulnerabilities\n which may allow an attacker to execute arbitrary commands on the remote host.\");\n\n script_tag(name:\"impact\", value:\"An attacker could send specially-crafted URLs to execute arbitrary\n scripts, perhaps taken from third-party hosts, or to disclose the content of files on the remote system.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nport = http_get_port(default:32000);\nif(!http_can_host_php(port:port))\n exit(0);\n\nvt_strings = get_vt_strings();\nvt_string = vt_strings[\"lowercase\"];\n\n# nb: software is accessible through either \"/mail\" (default) or \"/\".\nforeach dir(make_list(\"/mail\", \"\")) {\n\n url = string(dir, \"/accounts/inc/include.php?language=0&lang_settings[0][1]=http://xxxxxxxxxxxxxxx/\", vt_string, \"/\");\n req = http_get(item:url, port:port);\n res = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);\n\n if(\"http://xxxxxxxxxxxxxxx/\" + vt_string + \"/alang.html\" >< res) {\n report = http_report_vuln_url(port:port, url:url);\n security_message(port:port, data:report);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-10-16T16:15:11", "description": "The remote host is running VisNetic / Merak Mail Server, a multi- featured mail server for Windows. \n\nThe webmail and webadmin services included in the remote version of this software are prone to multiple flaws. An attacker could send specially crafted URLs to execute arbitrary scripts, perhaps taken from third-party hosts, or to disclose the content of files on the remote system.", "cvss3": {"score": 7.3, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "published": "2005-12-28T00:00:00", "type": "nessus", "title": "VisNetic / Merak Mail Server Multiple Remote Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2005-4556", "CVE-2005-4557", "CVE-2005-4558", "CVE-2005-4559"], "modified": "2021-01-19T00:00:00", "cpe": [], "id": "VISNETIC_MAILSERVER_FLAWS.NASL", "href": "https://www.tenable.com/plugins/nessus/20346", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(20346);\n script_version(\"1.20\");\n\n script_cve_id(\"CVE-2005-4556\", \"CVE-2005-4557\", \"CVE-2005-4558\", \"CVE-2005-4559\");\n script_bugtraq_id(16069);\n\n script_name(english:\"VisNetic / Merak Mail Server Multiple Remote Vulnerabilities\");\n script_summary(english:\"Checks for VisNetic Mail Server arbitrary script include\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote webmail server is affected by multiple vulnerabilities\nthat could allow an attacker to execute arbitrary commands on the\nremote host.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running VisNetic / Merak Mail Server, a multi-\nfeatured mail server for Windows. \n\nThe webmail and webadmin services included in the remote version of\nthis software are prone to multiple flaws. An attacker could send\nspecially crafted URLs to execute arbitrary scripts, perhaps taken\nfrom third-party hosts, or to disclose the content of files on the\nremote system.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://secuniaresearch.flexerasoftware.com/community/research/\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.deerfield.com/download/visnetic-mailserver/\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Merak Mail Server 8.3.5.r / VisNetic Mail Server version\n8.3.5 or later.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2005-4556\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/12/28\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/12/27\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_copyright(english:\"This script is Copyright (C) 2005-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CGI abuses\");\n\n script_dependencie(\"http_version.nasl\");\n script_require_ports(32000, \"Services/www\");\n script_require_keys(\"www/PHP\");\n exit(0);\n}\n\n#\n# da code\n#\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nif ( !get_kb_item(\"Settings/disable_cgi_scanning\") )\n port = get_http_port(default:32000, embedded:TRUE);\nelse\n port = 32000;\n\nif(!get_port_state(port))exit(0);\nif (!can_host_php(port:port)) exit(0);\n\n# nb: software is accessible through either \"/mail\" (default) or \"/\".\ndirs = make_list(\"/mail\", \"\");\nforeach dir (dirs) {\n req = http_get(item:string(dir, \"/accounts/inc/include.php?language=0&lang_settings[0][1]=http://example.com/nessus/\"), port:port);\n r = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);\n\n if(\"http://example.com/nessus/alang.html\" >< r)\n {\n security_hole(port);\n exit(0);\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
CVE-2005-4558
