Vulnerabilities > CVE-2006-0757 - Unspecified vulnerability in Hivemail
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Multiple eval injection vulnerabilities in HiveMail 1.3 and earlier allow remote attackers to execute arbitrary PHP code via (1) the contactgroupid parameter in addressbook.update.php, (2) the messageid parameter in addressbook.add.php, (3) the folderid parameter in folders.update.php, and possibly certain parameters in (4) calendar.event.php, (5) index.php, (6) pop.download.php, (7) read.bounce.php, (8) rules.block.php, (9) language.php, and (10) certain other scripts, as demonstrated by an addressbook.update.php request with a contactgroupid value of phpinfo() preceded by facilitators.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 10 |
Exploit-Db
description HiveMail 1.2.2/1.3 folders.update.php folderid Variable Arbitrary PHP Command Execution. CVE-2006-0757. Webapps exploit for php platform id EDB-ID:27185 last seen 2016-02-03 modified 2006-02-11 published 2006-02-11 reporter GulfTech Security source https://www.exploit-db.com/download/27185/ title HiveMail 1.2.2/1.3 folders.update.php folderid Variable Arbitrary PHP Command Execution description HiveMail 1.2.2/1.3 addressbook.update.php contactgroupid Variable Arbitrary PHP Command Execution. CVE-2006-0757 . Webapps exploit for php platform id EDB-ID:27184 last seen 2016-02-03 modified 2006-02-11 published 2006-02-11 reporter GulfTech Security source https://www.exploit-db.com/download/27184/ title HiveMail 1.2.2/1.3 addressbook.update.php contactgroupid Variable Arbitrary PHP Command Execution description HiveMail <= 1.3 (addressbook.add.php) Remote Code Execution Exploit. CVE-2006-0757,CVE-2006-0759. Webapps exploit for php platform id EDB-ID:1756 last seen 2016-01-31 modified 2006-05-06 published 2006-05-06 reporter [Oo] source https://www.exploit-db.com/download/1756/ title HiveMail <= 1.3 addressbook.add.php Remote Code Execution Exploit
References
- http://archives.neohapsis.com/archives/bugtraq/2006-02/0162.html
- http://forum.hivemail.com/showthread.php?p=26745
- http://secunia.com/advisories/18807
- http://www.gulftech.org/?node=research&article_id=00098-02102006
- http://www.securityfocus.com/bid/16591
- http://www.vupen.com/english/advisories/2006/0527
- https://exchange.xforce.ibmcloud.com/vulnerabilities/24618