Vulnerabilities > CVE-2005-0386 - Unspecified vulnerability in Mailreader.Com

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
mailreader-com
nessus

Summary

Cross-site scripting (XSS) vulnerability in network.cgi in mailreader before 2.3.29 earlier allows remote attackers to inject arbitrary web script or HTML via MIME text/enriched or text/richtext messages.

Nessus

  • NASL familyCGI abuses : XSS
    NASL idMAILREADER_HTML_INJECTION.NASL
    descriptionAccording to its banner, the version of Mailreader installed on the remote host is affected by a remote HTML injection vulnerability due to its failure to properly sanitize messages using a
    last seen2020-06-01
    modified2020-06-02
    plugin id17661
    published2005-03-30
    reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/17661
    titleMailreader network.cgi enriched/richtext MIME Message XSS
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    
    include("compat.inc");
    
    if (description) {
      script_id(17661);
      script_version("1.16");
    
      script_cve_id("CVE-2005-0386");
      script_bugtraq_id(12945);
      script_xref(name:"DSA", value:"700");
    
      script_name(english:"Mailreader network.cgi enriched/richtext MIME Message XSS");
     
     script_set_attribute(attribute:"synopsis", value:
    "The remote host contains a CGI script that is vulnerable to a cross-
    site scripting attack." );
     script_set_attribute(attribute:"description", value:
    "According to its banner, the version of Mailreader installed on the
    remote host is affected by a remote HTML injection vulnerability due
    to its failure to properly sanitize messages using a 'text/enriched'
    or 'text/richtext' MIME type.  An attacker can exploit this flaw by
    sending a specially crafted message to a user who reads his mail with
    Mailreader.  Then, when the user reads that message, malicious HTML or
    script code embedded in the message will be run by the user's browser
    in the context of the remote host, enabling the attacker to steal
    authentication cookies as well as perform other attacks." );
     script_set_attribute(attribute:"solution", value:
    "Upgrade to Mailreader 2.3.36 or later." );
     script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
     script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
     script_set_attribute(attribute:"exploit_available", value:"false");
     script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2005/03/30");
     script_set_attribute(attribute:"vuln_publication_date", value: "2005/03/30");
     script_cvs_date("Date: 2018/07/14  1:59:35");
    script_set_attribute(attribute:"plugin_type", value:"remote");
    script_end_attributes();
    
     
      summary["english"] = "Checks for remote HTML injection vulnerability in Mailreader";
      script_summary(english:summary["english"]);
     
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses : XSS");
     
      script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
    
      script_dependencies("http_version.nasl");
      script_exclude_keys("Settings/disable_cgi_scanning");
      script_require_ports("Services/www", 80);
    
      exit(0);
    }
    
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    
    
    port = get_http_port(default:80);
    
    # Search for Mailreader.
    foreach dir (cgi_dirs()) {
      # Run the main script.
      r = http_send_recv3(method: "GET", item:string(dir, "/nph-mr.cgi"), port:port);
      if (isnull(r)) exit(0);
    
      # Check the version number.
      if (egrep(pattern:">Mailreader.com v([01]\..*|2\.([012]\..*|3\.([012].*|3[0-5]))) ", string: r[2])) {
        security_warning(port);
        set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
        exit(0);
      }
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-700.NASL
    descriptionUlf Harnhammar from the Debian Security Audit Project discovered a cross-site scripting problem in mailreader, a simple, but powerful WWW mail reader system, when displaying messages of the MIME types text/enriched or text/richtext.
    last seen2020-06-01
    modified2020-06-02
    plugin id17657
    published2005-03-30
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/17657
    titleDebian DSA-700-1 : mailreader - missing input sanitising
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-700. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(17657);
      script_version("1.20");
      script_cvs_date("Date: 2019/08/02 13:32:18");
    
      script_cve_id("CVE-2005-0386");
      script_xref(name:"DSA", value:"700");
    
      script_name(english:"Debian DSA-700-1 : mailreader - missing input sanitising");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Ulf Harnhammar from the Debian Security Audit Project discovered a
    cross-site scripting problem in mailreader, a simple, but powerful WWW
    mail reader system, when displaying messages of the MIME types
    text/enriched or text/richtext."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2005/dsa-700"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the mailreader package.
    
    For the stable distribution (woody) this problem has been fixed in
    version 2.3.29-5woody2."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:mailreader");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2005/03/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/03/30");
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/03/30");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.0", prefix:"mailreader", reference:"2.3.29-5woody2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");