Search...

Open WebMail Shell Escape Arbitrary Command Execution

2005-05-04T00:00:00

ID OPENWEBMAIL_PERL_OPEN.NASL
Type nessus
Reporter This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.
Modified 2021-01-19T00:00:00

Description

According to its banner, the version of Open WebMail installed on the remote host may allow execution of arbitrary shell commands due to its failure to ensure shell escape characters are removed from filenames and other strings before trying to read from them.

                                        
                                            #%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description) {
  script_id(18190);
  script_version("1.16");

  script_cve_id("CVE-2005-1435");
  script_bugtraq_id(13472);

  script_name(english:"Open WebMail Shell Escape Arbitrary Command Execution");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a Perl application that allows
execution of arbitrary code." );
 script_set_attribute(attribute:"description", value:
"According to its banner, the version of Open WebMail installed on the
remote host may allow execution of arbitrary shell commands due to its
failure to ensure shell escape characters are removed from filenames
and other strings before trying to read from them." );
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e789a315" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to Open WebMail 2.5.1-20050430 or later." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_set_attribute(attribute:"plugin_publication_date", value: "2005/05/04");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/05/02");
 script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 
  script_summary(english:"Checks for arbitrary execution vulnerability in Open WebMail");
  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");
  script_copyright(english:"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.");
  script_dependencies("openwebmail_detect.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);

# Test an install.
install = get_kb_item(string("www/", port, "/openwebmail"));
if (isnull(install)) exit(0);
matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
if (!isnull(matches)) {
  ver = matches[1];

  # nb: intermediate releases of 2.51 below 20050430 are vulnerable,
  #     as are 2.50 and earlier releases.
  if (ver =~ "^(1\.|2\.([0-4]|50|51$|51 20050([0-3]|4[12])))")
    security_warning(port);
}

JSON Vulners Source

Initial Source

{"id": "OPENWEBMAIL_PERL_OPEN.NASL", "type": "nessus", "bulletinFamily": "scanner", "title": "Open WebMail Shell Escape Arbitrary Command Execution", "description": "According to its banner, the version of Open WebMail installed on the remote host may allow execution of arbitrary shell commands due to its failure to ensure shell escape characters are removed from filenames and other strings before trying to read from them.", "published": "2005-05-04T00:00:00", "modified": "2021-01-19T00:00:00", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cvss2": {}, "cvss3": {"score": null, "vector": null}, "href": "https://www.tenable.com/plugins/nessus/18190", "reporter": "This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.", "references": ["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1435", "http://www.nessus.org/u?e789a315"], "cvelist": ["CVE-2005-1435"], "immutableFields": [], "lastseen": "2021-08-19T13:17:18", "viewCount": 4, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-1435"]}, {"type": "nessus", "idList": ["2875.PRM"]}], "rev": 4}, "score": {"value": 6.8, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2005-1435"]}, {"type": "nessus", "idList": ["OPENWEBMAIL_DETECT.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310107443"]}]}, "exploitation": null, "vulnersScore": 6.8}, "pluginID": "18190", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description) {\n script_id(18190);\n script_version(\"1.16\");\n\n script_cve_id(\"CVE-2005-1435\");\n script_bugtraq_id(13472);\n\n script_name(english:\"Open WebMail Shell Escape Arbitrary Command Execution\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a Perl application that allows\nexecution of arbitrary code.\" );\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of Open WebMail installed on the\nremote host may allow execution of arbitrary shell commands due to its\nfailure to ensure shell escape characters are removed from filenames\nand other strings before trying to read from them.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e789a315\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Open WebMail 2.5.1-20050430 or later.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/05/04\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/05/02\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n \n script_summary(english:\"Checks for arbitrary execution vulnerability in Open WebMail\");\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n script_copyright(english:\"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.\");\n script_dependencies(\"openwebmail_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:80);\n\n# Test an install.\ninstall = get_kb_item(string(\"www/\", port, \"/openwebmail\"));\nif (isnull(install)) exit(0);\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches)) {\n ver = matches[1];\n\n # nb: intermediate releases of 2.51 below 20050430 are vulnerable,\n # as are 2.50 and earlier releases.\n if (ver =~ \"^(1\\.|2\\.([0-4]|50|51$|51 20050([0-3]|4[12])))\")\n security_warning(port);\n}\n", "naslFamily": "CGI abuses", "cpe": [], "solution": "Upgrade to Open WebMail 2.5.1-20050430 or later.", "nessusSeverity": "Medium", "cvssScoreSource": "", "vpr": {"risk factor": "Medium", "score": "5.5"}, "exploitAvailable": false, "exploitEase": "No exploit is required", "patchPublicationDate": null, "vulnerabilityPublicationDate": "2005-05-02T00:00:00", "exploitableWith": [], "_state": {"dependencies": 1647589307, "score": 0}}

{"cve": [{"lastseen": "2022-03-23T11:57:31", "description": "Open WebMail (OWM) before 2.51 20050430 allows remote authenticated users to execute arbitrary commands via shell metacharacters in a filename.", "cvss3": {}, "published": "2005-05-03T04:00:00", "type": "cve", "title": "CVE-2005-1435", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": true}, "cvelist": ["CVE-2005-1435"], "modified": "2008-09-05T20:49:00", "cpe": ["cpe:/a:open_webmail:open_webmail:2.51"], "id": "CVE-2005-1435", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1435", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:open_webmail:open_webmail:2.51:*:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2021-08-19T13:17:26", "description": "The remote host is running Open Webmail, an open-source perl script that gives remote users a web-based interface to email. This version of Open Webmail is vulnerable to a content-parsing flaw that would allow a remote attack to run arbitrary code on the Open Webmail server. Specifically, the application fails to parse out the '|' character which can be used to append commands to system calls.", "cvss3": {"score": 7.3, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "published": "2005-05-03T00:00:00", "type": "nessus", "title": "Open Webmail < 2.51 20050430 Shell Escape Arbitrary Command Execution", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-3233", "CVE-2005-1435"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:2.3:a:open_webmail:open_webmail:*:*:*:*:*:*:*:*"], "id": "2875.PRM", "href": "https://www.tenable.com/plugins/nnm/2875", "sourceData": "Binary data 2875.prm", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}