| VID |
21261 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Mailreader.com contains a remote command execution vulnerability.
Mailreader.com, developed by Kim Holviala, is a freely available Web-based POP3 Webmail written in Perl. The version 2.3.30 and 2.3.31 of Mailreader.com can allows a remote attacker to execute the command on the server, caused by improper validation of shell metacharacters within user-supplied input before being passed to the sendmail MTA(Mail Transfer Agent). To exploit this vulnerability, a remote attacker will pass malicious shell commands within parameters to the compose.cgi script, which may allow remote attackers to execute arbitrary commands on the underlying shell with the privileges of the webserver.
* Note: This check solely relied on the version of the Mailreader.com to assess this vulnerability, so this might be a false positive.
* References:
http://marc.theaimsgroup.com/?l=bugtraq&m=103583018300931&w=2
* Platforms Affected:
Mailreader.com 2.3.31 and earlier
Linux Any version
Unix Any version
Windows Any version |
| Recommendation |
Upgrade to the latest version or 2.3.33 or later of Mailreader.com, available from the Mailreader.com Web site at http://www.mailreader.com/
Now the latest version, Mailreader.com version 2.3.35, is released on Mar. 4, 2003. |
| Related URL |
CVE-2002-1582 (CVE) |
| Related URL |
6058 (SecurityFocus) |
| Related URL |
10491 (ISS) |
|
