| VID |
21459 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The IlohaMail software has an insecure default installation information disclosure vulnerability. IlohaMail is a webmail package written in PHP. IlohaMail versions 0.8.14-rc1 and earlier could allow a remote attacker to obtain sensitive information, potentially including user names and passwords. Specifically the 'conf/conf.inc', 'conf/custom_auth.inc', and 'conf/login.inc' files are Web readable on the default installation. Sensitive information disclosed in this way may lead to a compromise of email accounts and other attacks.
* References:
http://archives.neohapsis.com/archives/bugtraq/2005-01/0112.html
* Platforms Affected:
Ryo Chijiiwa, IlohaMail 0.8.14-rc1 and earlier
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of IlohaMail (0.8.14-rc2 or later), available from the IlohaMail Download Web page at http://sourceforge.net/projects/ilohamail/
-- OR --
Reinstall following the 'Proper Installation' instructions in the INSTALL document. |
| Related URL |
(CVE) |
| Related URL |
12252 (SecurityFocus) |
| Related URL |
18843 (ISS) |
|
