IlohaMail index.php session Variable Arbitrary File Access

2003-03-04T15:04:49
ID OSVDB:7335
Type osvdb
Reporter jgregg()
Modified 2003-03-04T15:04:49

Description

Vulnerability Description

IlohaMail contains a variable injection flaw that may allow an attacker to gain elevated privileges. No further details have been provided.

Solution Description

Upgrade to version 0.7.11 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

IlohaMail contains a variable injection flaw that may allow an attacker to gain elevated privileges. No further details have been provided.

Manual Testing Notes

http://[victim]/index.php?session=/../../../../../../../../../../../../etc/apache/httpd.conf%00

References:

Vendor Specific News/Changelog Entry: http://ilohamail.org/forum/view_thread.php?topic_id=5&id=1248 Vendor Specific Advisory URL Nessus Plugin ID:14631