Vulnerabilities > CVE-2003-0268 - Unspecified vulnerability in Bvrp Software Slwebmail 3.0

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

SLWebMail 3 on Windows systems allows remote attackers to identify the full path of the server via invalid requests to DLLs such as WebMailReq.dll, which reveals the path in an error message.

Vulnerable Configurations

Part Description Count
Application
Bvrp_Software
1

Nessus

NASL familyCGI abuses
NASL idSLMAIL_WEBMAIL_FLAWS.NASL
descriptionThe remote host is running a version of the SLmail WebMail server which is vulnerable to various flaws. These flaws may let a user to execute arbitrary code on this host or read arbitrary files.
last seen2020-06-01
modified2020-06-02
plugin id11596
published2003-05-07
reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/11596
titleSLMail WebMail Multiple Remote Overflows
code
#
# (C) Tenable Network Security, Inc.
#

# Refs:
#
#  From: "NGSSoftware Insight Security Research" <[email protected]>
#  To: <[email protected]>, <[email protected]>,
#        <[email protected]>
#  Subject: Multiple Vulnerabilities in SLWebmail
#  Date: Wed, 7 May 2003 18:05:18 +0100

include( 'compat.inc' );

if(description)
{
  script_id(11596);
  script_version ("1.24");
  script_cve_id("CVE-2003-0266", "CVE-2003-0267", "CVE-2003-0268");
  script_bugtraq_id(7511, 7513, 7514, 7524, 7527, 7528);

  script_name(english:"SLMail WebMail Multiple Remote Overflows");
  script_summary(english:"Determines if the remote SLWebMail server is flawed");

  script_set_attribute(
    attribute:'synopsis',
    value:"The remote mail server is vulnerable to multiple buffer overflows."
  );

  script_set_attribute(
    attribute:'description',
    value:"The remote host is running a version of the SLmail
WebMail server which is vulnerable to various flaws.

These flaws may let a user to execute arbitrary code
on this host or read arbitrary files."
  );

  script_set_attribute(
    attribute:'solution',
    value:"Upgrade to the latest version of SLWebMail."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(
    attribute:'see_also',
    value:"https://seclists.org/bugtraq/2003/May/80"
  );

 script_set_attribute(attribute:"plugin_publication_date", value: "2003/05/07");
 script_set_attribute(attribute:"vuln_publication_date", value: "2003/05/07");
 script_cvs_date("Date: 2018/11/15 20:50:18");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

 script_category(ACT_ATTACK);

 script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
 script_family(english:"CGI abuses");
 script_dependencie("find_service1.nasl", "http_version.nasl", "no404.nasl");
 script_require_ports("Services/www", 80);
 script_exclude_keys("Settings/disable_cgi_scanning");
 exit(0);
}

#
# The script code starts here
#
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);

no404 = get_kb_item(string("www/", port, "/no404"));
if(no404) exit(0, "The web server on port "+port+ " does not return 404 codes");

  dirx = make_list();
  foreach dir (cgi_dirs())
  {
   dirx = make_list(dirx, dir + "/SLwebmail");
  }

  foreach dir (dirx)
  {
   w = http_send_recv3(method:"GET", item:dir + "/ShowLogin.dll?Language=fr", port:port);
   if (isnull(w)) exit(1, "The web server on port "+port+" did not answer");
   res = strcat(w[0], w[1], '\r\n', w[2]);

   if('class="ContentTitle"' >< res &&
      'class="BDTitle"' >< res &&
      "Company = " >< res)
   {
    w = http_send_recv3(method:"GET", item:dir + "/ShowGodLog.dll", port:port);
    if (isnull(w)) exit(1, "The web server on port "+port+" did not answer");
    if (w[0] =~ "^HTTP/[0-9]\.[0-9] 200 ")
    {
     security_hole(port);
     exit(0);
    }
   }
  }