| VID |
22352 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
A version of ArGoSoft Mail Server which is older than version 1.8.7.7 is detected as installed on the host. ArGoSoft Mail Server is fully functional SMTP/POP3/Finger server with a built-in HTTP server for Microsoft Windows platforms. ArGoSoft Mail Server version 1.8.7.6 and earlier versions are vulnerable to multiple vulnerabilities as follows:
1) Unauthenticated Account Creation Vulnerability: This can allow a remote unauthenticated attacker to send a POST query to the addnew script to create a new user account, even if the 'Allow Creation of Accounts From the Web Interface' option has been disabled.
2) Multiple Cross-Site Scripting Vulnerabilities: ArGoSoft Mail Server is vulnerable to multiple cross-site scripting vulnerabilities in the Web mail interface, caused by improper filtering of HTML tags in email messages. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site.
* Note: This check solely relied on the banner of the remote HTTP server to assess this vulnerability, so this might be a false positive.
* References:
http://www.securityfocus.com/archive/1/396694
* Platforms Affected:
ArGoSoft Mail Server Pro versions 1.8.7.6 and earlier
Microsoft Windows Any version |
| Recommendation |
Upgrade to the latest version of ArGoSoft Mail Server Pro (1.8.7.7 later) from the ArGoSoft Mail Server Download Web site at http://download.cnet.com/ArGoSoft-Mail-Server-Freeware/3000-2369_4-10038331.html |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
