| VID |
21368 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The IlohaMail, according to its version number, has flaws in the Spell Check and GnuPG features. IlohaMail is a webmail package written in PHP. These flaws in IlohaMail version 0.8.6 allow an authenticated attacker to run arbitrary commands with the privileges of the web user simply by enclosing them in backticks when spell checking or sending a message.
* Note: This check solely relied on the version number of the remote IlohaMail software to assess this vulnerability, so this might be a false positive.
* References:
http://www.osvdb.org/displayvuln.php?osvdb_id=7332
http://www.osvdb.org/displayvuln.php?osvdb_id=7333
* Platforms Affected:
IlohaMail version 0.8.6-devel
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of IlohaMail (0.8.7 or later), available from the IlohaMail Download site at http://sourceforge.net/projects/ilohamail/
As a workaround, disable spell check and GPG features (see conf/conf.inc). |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
