| VID |
21777 |
| Severity |
20 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Winmail Server is vulnerable to a path disclosure vulnerability in multiple scripts. Winmail Server is a commercial mail server including extensive security measures for Microsoft Windows platforms. Winmail Server version 4.0 (build 1112) and possibly other versions could allow a remote attacker to disclose certain system information. By sending a specially-crafted HTTP request to the admin/chgpwd.php, admin/domain.php, or admin/user.php script, a remote attacker could cause the affected server to return an error message containing the installation path.
* References:
http://secunia.com/advisories/13438/
http://www.osvdb.org/displayvuln.php?osvdb_id=12336
http://www.osvdb.org/displayvuln.php?osvdb_id=12337
http://www.osvdb.org/displayvuln.php?osvdb_id=12338
* Platforms Affected:
AMAX Information Technologies Inc., Winmail Server 4.0 (build 1112) and other versions
Microsoft Windows Any version |
| Recommendation |
Set "display_errors = Off" in the "winmail_php.ini" configuration file. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
18427 (ISS) |
|
