|
Family: CGI abuses --> Category: infos
IlohaMail User Parameter Vulnerability Vulnerability Scan
Vulnerability Scan Summary Checks for User Parameter vulnerability in IlohaMail
Detailed Explanation for this Vulnerability Test
The target is running at least one instance of IlohaMail version
0.8.10 or earlier. Such versions do not properly sanitize the 'user'
parameter, which could allow a remote attacker to execute arbitrary
code either on the target or in a victim's browser when a victim views
a specially crafted message with an embedded image as long as PHP's
magic quotes setting is turned off (it's on by default) and the MySQL
backend is in use.
For a discussion of this vulnerability, see :
http://sourceforge.net/mailarchive/forum.php?thread_id=3589704&forum_id=27701
***** Nessus has acertaind the vulnerability exists on the target
***** simply by looking at the version number of IlohaMail
***** installed there.
Solution : Upgrade to IlohaMail version 0.8.11 or later.
Threat Level: Medium
Click HERE for more information and discussions on this network vulnerability scan.
|