remote system compromise in imp

ID SUSE-SA:2003:0008
Type suse
Reporter Suse
Modified 2003-02-18T17:26:49


IMP is a well known PHP-based web-mail system. Some SQL-injection vulnerabilities were found in IMP 2.x that allow an attacker to access the underlying database. No authentication is needed to exploit this bug. An attacker can gain access to protected information or, in conjunction with PostgreSQL, execute shell commands remotely.