Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2006-0759

Overview

Vulnerability Score 7.5 7.5
CVE Id CVE-2006-0759
Last Modified 07 Mar 2011 09:30:46
Published 17 Feb 2006 09:02:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2006-0759

Summary

Multiple SQL injection vulnerabilities in HiveMail 1.3 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the contactgroupid parameter in addressbook.update.php, (2) the messageid parameter in addressbook.add.php, (3) the folderid parameter in folders.update.php, and possibly certain parameters in (4) calendar.event.php, (5) index.php, (6) pop.download.php, (7) read.bounce.php, (8) rules.block.php, (9) language.php, and (10) certain other scripts; and allow remote authenticated users to execute arbitrary SQL commands via (11) the folderid parameter in index.php and (12) possibly other parameters in certain other scripts, because $_SERVER['PHP_SELF'] is improperly handled.

Vulnerable Systems

Application

  • Hivemail 1.1

  • Hivemail 1.1.1

  • Hivemail 1.2

  • Hivemail 1.2 Sp1

  • Hivemail 1.2.1 Beta1

  • Hivemail 1.2.1 Rc

  • Hivemail 1.2.2

  • Hivemail 1.3

  • Hivemail 1.3 Beta1

  • Hivemail 1.3 Rc1


References

XF - hivemail-index-sql-injection(24623)

VUPEN - ADV-2006-0527

MISC - http://www.gulftech.org/?node=research&article_id=00098-02102006

MISC - http://forum.hivemail.com/showthread.php?p=26745

BUGTRAQ - 20060210 HiveMail <= 1.3 Multiple Vulnerabilities

BID - 16591

SREASON - 422

SECUNIA - 18807


Last Updated: 27 May 2016 10:41:46