Vulnerabilities > CVE-2004-1719 - Multiple vulnerability in Merak Mail Server 7.4.5

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
merak
nessus
exploit available
NVD
Published: 2004-08-17
Updated: 2017-07-11

Summary

Multiple cross-site scripting (XSS) vulnerabilities in Merak Webmail Server 5.2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) category, (2) cserver, (3) ext, (4) global, (5) showgroups, (6) or showlite parameters to address.html, or the (7) spage or (8) autoresponder parameters to settings.html, the (9) folder parameter to readmail.html, or the (10) attachmentpage_text_error parameter to attachment.html, (11) folder, (12) ct, or (13) cv parameters to calendar.html, (14) an <img> tag, or (15) the subject of an e-mail message.

Vulnerable Configurations

Part Description Count
Application
Merak
1

Exploit-Db

  • descriptionMerak Mail Server 7.4.5 address.html Multiple Parameter XSS. CVE-2004-1719. Webapps exploit for php platform
    idEDB-ID:24377
    last seen2016-02-02
    modified2004-07-17
    published2004-07-17
    reporterCriolabs
    sourcehttps://www.exploit-db.com/download/24377/
    titleMerak Mail Server 7.4.5 address.html Multiple Parameter XSS
  • descriptionMerak Mail Server 7.4.5 settings.html Multiple Parameter XSS. CVE-2004-1719. Webapps exploit for php platform
    idEDB-ID:24378
    last seen2016-02-02
    modified2004-07-17
    published2004-07-17
    reporterCriolabs
    sourcehttps://www.exploit-db.com/download/24378/
    titleMerak Mail Server 7.4.5 settings.html Multiple Parameter XSS
  • descriptionMerak Mail Server 7.4.5 HTML Message Body XSS. CVE-2004-1719. Webapps exploit for php platform
    idEDB-ID:24380
    last seen2016-02-02
    modified2004-07-17
    published2004-07-17
    reporterCriolabs
    sourcehttps://www.exploit-db.com/download/24380/
    titleMerak Mail Server 7.4.5 HTML Message Body XSS
  • descriptionMerak Mail Server 7.4.5 attachment.html attachmentpage_text_error Parameter XSS. CVE-2004-1719. Webapps exploit for php platform
    idEDB-ID:24379
    last seen2016-02-02
    modified2004-07-17
    published2004-07-17
    reporterCriolabs
    sourcehttps://www.exploit-db.com/download/24379/
    titleMerak Mail Server 7.4.5 attachment.html attachmentpage_text_error Parameter XSS

Nessus

NASL familyCGI abuses
NASL idMERAK_MULTIPLE_VULNS.NASL
descriptionThe target is running at least one instance of Merak Webmail / IceWarp Web Mail 5.2.7 or less or Merak Mail Server 7.5.2 or less. Such versions are potentially affected by multiple cross-site scripting, HTML and SQL injection, and PHP source code disclosure vulnerabilities.
last seen2020-06-01
modified2020-06-02
plugin id14379
published2004-08-26
reporterThis script is Copyright (C) 2004-2018 George A. Theall
sourcehttps://www.tenable.com/plugins/nessus/14379
titleMerak Webmail / IceWarp Web Mail < 5.2.8 Multiple Vulnerabilities
code
#
# This script was written by George A. Theall, <[email protected]>.
#
# See the Nessus Scripts License for details.
#

# Changes by Tenable:
# - Revised plugin title (12/22/10)

include("compat.inc");

if (description) {
  script_id(14379);
  script_version("1.22");

  script_cve_id("CVE-2004-1719", "CVE-2004-1720", "CVE-2004-1721", "CVE-2004-1722");
  script_bugtraq_id(10966);

  script_name(english:"Merak Webmail / IceWarp Web Mail < 5.2.8 Multiple Vulnerabilities");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server is hosting a webmail application that is 
affected by multiple vulnerabilities." );
 script_set_attribute(attribute:"description", value:
"The target is running at least one instance of Merak Webmail / IceWarp
Web Mail 5.2.7 or less or Merak Mail Server 7.5.2 or less.  Such 
versions are potentially affected by multiple cross-site scripting,
HTML and SQL injection, and PHP source code disclosure vulnerabilities." 
);
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2004/Aug/241" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to Merak Webmail / IceWarp Web Mail 5.2.8 or Merak Mail Server
7.5.2 or later." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

 script_set_attribute(attribute:"plugin_publication_date", value: "2004/08/26");
 script_set_attribute(attribute:"vuln_publication_date", value: "2004/08/17");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();
 
  summary["english"] = "Checks for Multiple Vulnerabilities in Merak Webmail / IceWarp Web Mail";
  script_summary(english:summary["english"]);
 
  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2004-2020 George A. Theall");

  family["english"] = "CGI abuses";
  script_family(english:family["english"]);

  script_dependencie("global_settings.nasl", "http_version.nasl");
  script_require_ports("Services/www", 4096);
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_keys("www/PHP");
  exit(0);
}

include("global_settings.inc");
include("http_func.inc");
include("http_keepalive.inc");

host = get_host_name();
# nb: if webmail component installed, it's defaults to 4096;
#     if mail server, it's on 32000.
port = get_http_port(default:4096, embedded:TRUE);

if (!get_port_state(port)) exit(0);
if (!can_host_php(port:port)) exit(0);

# nb: software is accessible through either "/mail" (default) or "/".
dirs = make_list("/mail", "");
foreach dir (dirs) {

  # Try to retrieve inc/function.php since it's accessible in vulnerable versions.
  url = string(dir, "/inc/function.php");

  req = http_get(item:url, port:port);
  res = http_keepalive_send_recv(port:port, data:req);
  if (res == NULL) exit(0);           # can't connect

  # Check the server signature as well as the content of the file retrieved.
  if (
    egrep(string:res, pattern:"^Server: IceWarp", icase:TRUE) &&
    egrep(string:res, pattern:"function getusersession", icase:TRUE)
  ) {
    security_hole(port:port);
    set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
    set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
    exit(0);
  }
}

References