Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2002-1385

Overview

Vulnerability Score 7.2 7.2
CVE Id CVE-2002-1385
Last Modified 05 Sep 2008 04:30:27
Published 26 Dec 2002 12:00:00
Confidentiality Impact COMPLETE COMPLETE
Integrity Impact COMPLETE COMPLETE
Availability Impact COMPLETE COMPLETE
Access Vector LOCAL
Access Complexity LOW
Authentication NONE

CVE-2002-1385

Summary

openwebmail_init in Open WebMail 1.81 and earlier allows local users attackers to execute arbitrary code via .. (dot dot) sequences in a login name, such as the name provided in the sessionid parameter for openwebmail-abook.pl, which is used to find a configuration file that specifies additional code to be executed.

Vulnerable Systems

Application

  • Open Webmail 1.7

  • Open Webmail 1.71

  • Open Webmail 1.8

  • Open Webmail 1.81


References

CONFIRM - http://sourceforge.net/forum/forum.php?thread_id=782605&forum_id=108435

BUGTRAQ - 20021219 [Fix] Openwebmail 1.71 remote root compromise

XF - open-webmail-command-execution(10904)

BID - 6425

BUGTRAQ - 20021218 Openwebmail 1.71 remote root compromise


Last Updated: 27 May 2016 10:37:18