header-logo
Suggest Exploit
vendor:
Emumail
by:
5.5
CVSS
MEDIUM
Sensitive Configuration Information Disclosure
200
CWE
Product Name: Emumail
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Unix, Linux, Microsoft Windows

Emumail Sensitive Configuration Information Disclosure

Emumail, an open source web mail application, may reveal sensitive configuration information under certain conditions. When unexpected characters are inserted into certain fields in web mail forms, the form generates an error. The error page returned may contain the directory to the web root on the Emumail server.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize user input in web mail forms to prevent unexpected characters from causing errors and disclosing sensitive information. Additionally, the error pages should be properly configured to not reveal directory paths.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/5823/info

Emumail is an open source web mail application. It is available for the Unix, Linux, and Microsoft Windows operating systems.

Under some conditions, Emumail may reveal sensitive configuration information. When unexpected characters are inserted into some fields in web mail forms, the form generates an error. The error page returned may contain the directory to the web root on the Emumail server.

By inserting a string such into the Email form:

<script>alert(@)</script>

Will return:

"Software error:
/\s+)my.com)</script>\s+/: unmatched () in regexp at /home/EMU/webmail/html/emumail.cgi line 834.

Navigation

Suggest Exploit

Services By CQR