Vulnerabilities > CVE-2003-0266 - Unspecified vulnerability in Bvrp Software Slwebmail 3.0

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
bvrp-software
nessus
NVD
Published: 2003-05-27
Updated: 2024-11-20

Summary

Multiple buffer overflows in SLWebMail 3 on Windows systems allows remote attackers to cause a denial of service and possibly execute arbitrary code via (1) a long Language parameter to showlogin.dll, (2) a long CompanyID parameter to recman.dll, (3) a long CompanyID parameter to admin.dll, or (4) a long CompanyID parameter to globallogin.dll.

Vulnerable Configurations

Part Description Count
Application
Bvrp_Software
1

Nessus

NASL familyCGI abuses
NASL idSLMAIL_WEBMAIL_FLAWS.NASL
descriptionThe remote host is running a version of the SLmail WebMail server which is vulnerable to various flaws. These flaws may let a user to execute arbitrary code on this host or read arbitrary files.
last seen2020-06-01
modified2020-06-02
plugin id11596
published2003-05-07
reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/11596
titleSLMail WebMail Multiple Remote Overflows
code
#
# (C) Tenable Network Security, Inc.
#

# Refs:
#
#  From: "NGSSoftware Insight Security Research" <[email protected]>
#  To: <[email protected]>, <[email protected]>,
#        <[email protected]>
#  Subject: Multiple Vulnerabilities in SLWebmail
#  Date: Wed, 7 May 2003 18:05:18 +0100

include( 'compat.inc' );

if(description)
{
  script_id(11596);
  script_version ("1.24");
  script_cve_id("CVE-2003-0266", "CVE-2003-0267", "CVE-2003-0268");
  script_bugtraq_id(7511, 7513, 7514, 7524, 7527, 7528);

  script_name(english:"SLMail WebMail Multiple Remote Overflows");
  script_summary(english:"Determines if the remote SLWebMail server is flawed");

  script_set_attribute(
    attribute:'synopsis',
    value:"The remote mail server is vulnerable to multiple buffer overflows."
  );

  script_set_attribute(
    attribute:'description',
    value:"The remote host is running a version of the SLmail
WebMail server which is vulnerable to various flaws.

These flaws may let a user to execute arbitrary code
on this host or read arbitrary files."
  );

  script_set_attribute(
    attribute:'solution',
    value:"Upgrade to the latest version of SLWebMail."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(
    attribute:'see_also',
    value:"https://seclists.org/bugtraq/2003/May/80"
  );

 script_set_attribute(attribute:"plugin_publication_date", value: "2003/05/07");
 script_set_attribute(attribute:"vuln_publication_date", value: "2003/05/07");
 script_cvs_date("Date: 2018/11/15 20:50:18");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

 script_category(ACT_ATTACK);

 script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
 script_family(english:"CGI abuses");
 script_dependencie("find_service1.nasl", "http_version.nasl", "no404.nasl");
 script_require_ports("Services/www", 80);
 script_exclude_keys("Settings/disable_cgi_scanning");
 exit(0);
}

#
# The script code starts here
#
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);

no404 = get_kb_item(string("www/", port, "/no404"));
if(no404) exit(0, "The web server on port "+port+ " does not return 404 codes");

  dirx = make_list();
  foreach dir (cgi_dirs())
  {
   dirx = make_list(dirx, dir + "/SLwebmail");
  }

  foreach dir (dirx)
  {
   w = http_send_recv3(method:"GET", item:dir + "/ShowLogin.dll?Language=fr", port:port);
   if (isnull(w)) exit(1, "The web server on port "+port+" did not answer");
   res = strcat(w[0], w[1], '\r\n', w[2]);

   if('class="ContentTitle"' >< res &&
      'class="BDTitle"' >< res &&
      "Company = " >< res)
   {
    w = http_send_recv3(method:"GET", item:dir + "/ShowGodLog.dll", port:port);
    if (isnull(w)) exit(1, "The web server on port "+port+" did not answer");
    if (w[0] =~ "^HTTP/[0-9]\.[0-9] 200 ")
    {
     security_hole(port);
     exit(0);
    }
   }
  }

References