header-logo
Suggest Exploit
vendor:
IronWebMail
by:
SecurityFocus
7.5
CVSS
HIGH
Information Disclosure
200
CWE
Product Name: IronWebMail
Affected Version From: Prior to 6.1.1 HotFix-17
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2005

IronWebMail Remote Information Disclosure Vulnerability

IronWebMail is prone to a remote information-disclosure vulnerability because the application fails to properly sanitize user-supplied input. Exploiting this issue allows remote, unauthenticated attackers to retrieve the contents of arbitrary files from vulnerable computers with the privileges of the webserver process. Information harvested may aid in further attacks.

Mitigation:

Upgrade to IronWebMail version 6.1.1 HotFix-17 or later.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/20436/info

IronWebMail is prone to a remote information-disclosure vulnerability because the application fails to properly sanitize user-supplied input.

Exploiting this issue allows remote, unauthenticated attackers to retrieve the contents of arbitrary files from vulnerable computers with the privileges of the webserver process. Information harvested may aid in further attacks.

IronWebMail versions prior to 6.1.1 HotFix-17 are affected by this vulnerability.

GET /IM_FILE(%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/admin.xml) HTTP/1.0[CRLF][CRLF]

Navigation

Suggest Exploit

Services By CQR