| VID |
21365 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The IlohaMail, according to its version number, has an arbitrary file attachment upload path vulnerability. IlohaMail is a webmail package written in PHP. IlohaMail version 0.7.9-RC2 and earlier contain a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when compose.php fails to check the upload path for file attachments when a message is composed. As a result, a malicious user of the webmail system may be able to place a file on the host in any location which is writeable by the webserver process. It is also possible that local files may be overwritten by the malicious file attachment.
* Note: This check solely relied on the version number of the remote IlohaMail software to assess this vulnerability, so this might be a false positive.
* References:
http://www.osvdb.org/displayvuln.php?osvdb_id=7334
http://ilohamail.org/forum/view_thread.php?topic_id=5&id=561
http://secunia.com/advisories/8009
* Platforms Affected:
IlohaMail version 0.7.9-RC2 and earlier
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of IlohaMail (0.7.9-stable or later), available IlohaMail Download site at http://sourceforge.net/projects/ilohamail/ |
| Related URL |
(CVE) |
| Related URL |
6740 (SecurityFocus) |
| Related URL |
11251 (ISS) |
|
