| VID |
21342 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The BasiliX Webmail installed on the Web server, according to its version number, has an Arbitrary File Disclosure Vulnerability.
BasiliX is a PHP and Internet Messaging Access Protocol (IMAP) based Web mail program that uses the MySQL database server. BasiliX Webmail versions 1.1.0 and earlier are vulnerable to an Arbitrary File Disclosure Vulnerability, caused by a failure to properly verify if an attachment is actually an uploaded file. A remote attacker could exploit this vulnerability by attaching a known file(like the /etc/passwd file) on the system to an outgoing message, which would allow the attacker to possibly send sensitive information to other users.
* Note: This check solely relied on the version number of the remote BasiliX Web mail to assess this vulnerability, so this might be a false positive.
* References:
http://securitytracker.com/alerts/2002/Jun/1004574.html
http://archives.neohapsis.com/archives/bugtraq/2002-06/0232.html
* Platforms Affected:
Murat Arslan, BasiliX Webmail 1.1.0 and earlier
Unix Any version
Linux Any version
Microsoft Windows Any version |
| Recommendation |
Upgrade to the latest version (1.1.1 or later) of BasiliX Webmail, available from the BasiliX web site at http://sourceforge.net/projects/basilix/ |
| Related URL |
CVE-2002-1710 (CVE) |
| Related URL |
5062 (SecurityFocus) |
| Related URL |
9386 (ISS) |
|
