| VID |
21911 |
| Severity |
20 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The e107 Website System contains the 'email.php' script that can be used to send arbitrary e-mail messages. e107 is a freely available, Web content management system written in PHP. e107 versions prior to 0.7.5 contains a script, 'email.php', that allows an unauthenticated user to send e-mail messages to arbitrary users. A remote attacker could exploit this flaw to send spam and spoofed e-mail.
* References:
http://e107.org/e107_plugins/forum/forum_viewtopic.php?66179
http://e107.org/comment.php?comment.news.788
http://www.frsirt.com/english/advisories/2006/1963
http://secunia.com/advisories/20262
* Platforms Affected:
e107 versions prior to 0.7.5
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of e107 (0.7.5 or later), available from the e107 Web page at http://e107.org/edownload.php . and to minimize automated exploitation of this issue, you can use its 'captcha' system. |
| Related URL |
CVE-2006-2591 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
