Web application abuses : BasiliX Arbitrary File Disclosure Vulnerability

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 146377 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.14305

Categoría: Web application abuses

Título: BasiliX Arbitrary File Disclosure Vulnerability

Resumen: The remote web server contains a PHP script that is prone to information;disclosure.;;Description :;;The remote host appears to be running a BasiliX version 1.1.0 or lower. Such versions allow retrieval of arbitrary;files that are accessible to the web server user when sending a message since they accept a list of attachment;names from the client yet do not verify that the attachments were in fact uploaded.;;Further, since these versions do not sanitize input to the 'login.php3' script, it's possible for an attacker to;establish a session on the target without otherwise having access there by authenticating against an IMAP server;of his or her choosing.

Descripción: Summary:
The remote web server contains a PHP script that is prone to information
disclosure.

Description :

The remote host appears to be running a BasiliX version 1.1.0 or lower. Such versions allow retrieval of arbitrary
files that are accessible to the web server user when sending a message since they accept a list of attachment
names from the client yet do not verify that the attachments were in fact uploaded.

Further, since these versions do not sanitize input to the 'login.php3' script, it's possible for an attacker to
establish a session on the target without otherwise having access there by authenticating against an IMAP server
of his or her choosing.

Solution:
Upgrade to BasiliX version 1.1.1 or later.

CVSS Score:
3.6

CVSS Vector:
AV:L/AC:L/Au:N/C:P/I:P/A:N

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2002-1710
BugTraq ID: 5062
http://www.securityfocus.com/bid/5062
Bugtraq: 20020618 BasiliX multiple vulnerabilities (Google Search)
http://archive.cert.uni-stuttgart.de/archive/bugtraq/2002/06/msg00247.html
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0117.html
XForce ISS Database: basilix-webmail-attach-files(9386)
https://exchange.xforce.ibmcloud.com/vulnerabilities/9386

Copyright Copyright (C) 2004 George A. Theall

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.14305
Categoría:	Web application abuses
Título:	BasiliX Arbitrary File Disclosure Vulnerability
Resumen:	The remote web server contains a PHP script that is prone to information;disclosure.;;Description :;;The remote host appears to be running a BasiliX version 1.1.0 or lower. Such versions allow retrieval of arbitrary;files that are accessible to the web server user when sending a message since they accept a list of attachment;names from the client yet do not verify that the attachments were in fact uploaded.;;Further, since these versions do not sanitize input to the 'login.php3' script, it's possible for an attacker to;establish a session on the target without otherwise having access there by authenticating against an IMAP server;of his or her choosing.
Descripción:	Summary: The remote web server contains a PHP script that is prone to information disclosure. Description : The remote host appears to be running a BasiliX version 1.1.0 or lower. Such versions allow retrieval of arbitrary files that are accessible to the web server user when sending a message since they accept a list of attachment names from the client yet do not verify that the attachments were in fact uploaded. Further, since these versions do not sanitize input to the 'login.php3' script, it's possible for an attacker to establish a session on the target without otherwise having access there by authenticating against an IMAP server of his or her choosing. Solution: Upgrade to BasiliX version 1.1.1 or later. CVSS Score: 3.6 CVSS Vector: AV:L/AC:L/Au:N/C:P/I:P/A:N
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2002-1710 BugTraq ID: 5062 http://www.securityfocus.com/bid/5062 Bugtraq: 20020618 BasiliX multiple vulnerabilities (Google Search) http://archive.cert.uni-stuttgart.de/archive/bugtraq/2002/06/msg00247.html http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0117.html XForce ISS Database: basilix-webmail-attach-files(9386) https://exchange.xforce.ibmcloud.com/vulnerabilities/9386
Copyright	Copyright (C) 2004 George A. Theall