| VID |
21392 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The IMP program has the DB File SQL Injection Vulnerability.
IMP(Internet Messaging Program) is a popular Web-based E-Mail client package written in PHP for the UNIX systems. IMP 2.2.8 and earlier are vulnerable to a SQL injection vulnerability, caused by a failure to the application to properly filter the user-supplied input which is passed to SQL queries. By sending a specially crafted URLs that include SQL commands to the 'mailbox.php3' script, a remote attacker could obtain sensitive information or add, modify, or delete information in the backend database.
* References:
http://www.securiteam.com/unixfocus/5KP0S2K8UE.html
http://securitytracker.com/alerts/2003/Jan/1005904.html
http://marc.theaimsgroup.com/?l=bugtraq&m=104204786206563&w=2
* Platforms Affected:
IMP 2.2.8 and earlier
Conectiva Linux 7.0, 8.0
Debian Linux 2.2, 3.0
SuSE Linux 7.3, 8.0, 8.1
Linux Any version |
| Recommendation |
Upgrade to the latest version of IMP (3.1 or later), available from the Horde Web site at http://www.horde.org/imp/
For Debian GNU/Linux:
Upgrade to the latest imp package as listed in the Debian Security Advisory DSA-229-2 at http://www.debian.org/security/2003/dsa-229
For SuSE Linux:
Upgrade to the latest imp package, as listed in the SuSE Security Announcement SuSE-SA:2003:008 at http://www.linuxsecurity.com/advisories/suse_advisory-2862.html
For Conectiva Linux:
Upgrade to the latest imp package, as listed in the Conectiva Linux Security Announcement CLSA-2003:690 at http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000690
For other distributions:
Contact your vendor for upgrade or patch information. |
| Related URL |
CVE-2003-0025 (CVE) |
| Related URL |
6559 (SecurityFocus) |
| Related URL |
11028 (ISS) |
|
