Summary
| Detail | |||
|---|---|---|---|
| Vendor | Open Webmail | First view | 2002-12-26 |
| Product | Open Webmail | Last view | 2007-08-07 |
| Version | Type | Application | |
| Update | |||
| Edition | |||
| Language | |||
| Sofware Edition | |||
| Target Software | |||
| Target Hardware | |||
| Other | |||
Activity : Overall
COMMON PLATFORM ENUMERATION: Repartition per Version
Related : CVE
| Date | Alert | Description | |
|---|---|---|---|
| 4.3 | 2007-08-07 | CVE-2007-4172 | Multiple cross-site scripting (XSS) vulnerabilities in Open Webmail (OWM) 2.52 20060831 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) searchtype, (2) longpage, and (3) page parameters to (a) openwebmail-main.pl; the (4) prefs_caller, (5) userfirsttime, (6) page, (7) sort, (8) folder, and (9) message_id parameters to (b) openwebmail-prefs.pl; the (10) compose_caller, (11) msgdatetype, (12) keyword, (13) searchtype, (14) folder, (15) page, and (16) sort parameters to (c) openwebmail-send.pl; the (17) folder, (18) page, and (19) sort parameters to (d) openwebmail-folder.pl; the (20) searchtype, (21) page, (22) filesort, (23) singlepage, (24) showhidden, (25) showthumbnail, and (26) message_id parameters to (e) openwebmail-webdisk.pl; the (27) folder parameter to (f) openwebmail-advsearch.pl; and the (28) abookcollapse, (29) abooksearchtype, (30) abooksort, (31) abooklongpage, (32) abookpage, (33) message_id, (34) searchtype, (35) msgdatetype, (36) sort, (37) page, (38) rootxowmuid, and (39) listviewmode parameters to (g) openwebmail-abook.pl, different vectors than CVE-2005-2863, CVE-2006-2190, CVE-2006-3229, and CVE-2006-3233. |
| 4.3 | 2006-06-27 | CVE-2006-3233 | Cross-site scripting (XSS) vulnerability in openwebmail-read.pl in Open WebMail (OWM) 2.52, and other versions released before 06/18/2006, allows remote attackers to inject arbitrary web script or HTML via the from field. NOTE: some third party sources have mentioned the "to" and "from" fields, although CVE analysis shows that these are associated with the previous version, a different executable, and a different CVE. |
| 4.3 | 2006-06-26 | CVE-2006-3229 | Cross-site scripting (XSS) vulnerability in Open WebMail (OWM) 2.52, and other versions released before 05/12/2006, allows remote attackers to inject arbitrary web script or HTML via the (1) To and (2) From fields in openwebmail-main.pl, and possibly (3) other unspecified vectors related to "openwebmailerror calls that need to display HTML." |
| 6.8 | 2006-05-04 | CVE-2006-2190 | Cross-site scripting (XSS) vulnerability in ow-shared.pl in OpenWebMail (OWM) 2.51 and earlier allows remote attackers to inject arbitrary web script or HTML via the sessionid parameter in (1) openwebmail-send.pl, (2) openwebmail-advsearch.pl, (3) openwebmail-folder.pl, (4) openwebmail-prefs.pl, (5) openwebmail-abook.pl, (6) openwebmail-read.pl, (7) openwebmail-cal.pl, and (8) openwebmail-webdisk.pl. NOTE: the openwebmail-main.pl vector is already covered by CVE-2005-2863. |
| 4.3 | 2005-09-08 | CVE-2005-2863 | Cross-site scripting (XSS) vulnerability in openwebmail-main.pl in OpenWebMail 2.41 allows remote attackers to inject arbitrary web script or HTML via the sessionid parameter. |
| 7.5 | 2005-05-03 | CVE-2005-1435 | Open WebMail (OWM) before 2.51 20050430 allows remote authenticated users to execute arbitrary commands via shell metacharacters in a filename. |
| 4.3 | 2005-05-02 | CVE-2005-0445 | Cross-site scripting (XSS) vulnerability in Open WebMail 2.x allows remote attackers to inject arbitrary HTML or web script via the domain name parameter (logindomain) in the login page. |
| 5 | 2004-12-31 | CVE-2004-2458 | Open WebMail 2.30 and earlier, when use_syshomedir is disabled or create_syshomedir is enabled, creates new directories before authenticating, which allows remote attackers to create arbitrary directories. |
| 10 | 2004-12-31 | CVE-2004-2284 | The read_list_from_file function in vacation.pl for OpenWebmail before 2.32 20040629 allows remote attackers to execute arbitrary commands via shell metacharacters in a filename argument. |
| 6.8 | 2004-08-18 | CVE-2004-0520 | Cross-site scripting (XSS) vulnerability in mime.php for SquirrelMail before 1.4.3 allows remote attackers to insert arbitrary HTML and script via the content-type mail header, as demonstrated using read_body.php. |
| 6.8 | 2004-08-06 | CVE-2004-0639 | Multiple cross-site scripting (XSS) vulnerabilities in Squirrelmail 1.2.10 and earlier allow remote attackers to inject arbitrary HTML or script via (1) the $mailer variable in read_body.php, (2) the $senderNames_part variable in mailbox_display.php, and possibly other vectors including (3) the $event_title variable or (4) the $event_text variable. |
| 5 | 2002-12-31 | CVE-2002-2410 | openwebmail.pl in Open WebMail 1.7 and 1.71 reveals sensitive information in error messages and generates different responses whether a user exists or not, which allows remote attackers to identify valid usernames via brute force attacks and obtain certain configuration and version information. |
| 7.2 | 2002-12-26 | CVE-2002-1385 | openwebmail_init in Open WebMail 1.81 and earlier allows local users to execute arbitrary code via .. (dot dot) sequences in a login name, such as the name provided in the sessionid parameter for openwebmail-abook.pl, which is used to find a configuration file that specifies additional code to be executed. |
CWE : Common Weakness Enumeration
| % | id | Name |
|---|---|---|
| 50% (1) | CWE-200 | Information Exposure |
| 50% (1) | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') |
Oval Markup Language : Definitions
| OvalID | Name |
|---|---|
| oval:org.mitre.oval:def:10766 | Cross-site scripting (XSS) vulnerability in mime.php for SquirrelMail before ... |
| oval:org.mitre.oval:def:1012 | SquirrelMail Cross-site Scripting Vulnerability II |
Open Source Vulnerability Database (OSVDB)
| id | Description |
|---|---|
| 41087 | Open WebMail (OWM) openwebmail-abook.pl Multiple Parameter XSS |
| 41086 | Open WebMail (OWM) openwebmail-advsearch.pl folder Parameter XSS |
| 41085 | Open WebMail (OWM) openwebmail-webdisk.pl Multiple Parameter XSS |
| 41084 | Open WebMail (OWM) openwebmail-folder.pl Multiple Parameter XSS |
| 41083 | Open WebMail (OWM) openwebmail-send.pl Multiple Parameter XSS |
| 41082 | Open WebMail (OWM) openwebmail-prefs.pl Multiple Parameter XSS |
| 41081 | Open WebMail (OWM) openwebmail-main.pl Multiple Parameter XSS |
| 31849 | Open WebMail (OWM) Unspecified XSS |
| 31848 | Open WebMail (OWM) openwebmail-main.pl Multiple XSS |
| 26766 | Open WebMail (OWM) openwebmail-read.pl from Parameter XSS |
| 19225 | Open WebMail Error Message Session ID XSS |
| 16304 | Open WebMail (OWM) Shell Escape Arbitrary Command Execution |
| 13788 | Open WebMail openwebmail.pl logindomain Parameter XSS |
| 8292 | SquirrelMail mailbox_display.php Multiple Parameter XSS |
| 8291 | SquirrelMail read_body.php Multiple Parameter XSS |
| 7474 | Open WebMail vacation.pl Arbitrary Command Execution |
| 7101 | Open WebMail openwebmail.pl Information Disclosure |
| 7100 | Open WebMail openwebmail-shared.pl Session Parameter Arbitrary Code Execution |
| 6654 | Open WebMail openwebmail-abook.pl Session Parameter Arbitrary Code Execution |
| 6514 | SquirrelMail mime.php Content-Type XSS |
| 5006 | Open Webmail syshomedir Variable Arbitrary Directory Creation |
OpenVAS Exploits
| id | Description |
|---|---|
| 2008-09-24 | Name : Gentoo Security Advisory GLSA 200406-08 (Squirrelmail) File : nvt/glsa_200406_08.nasl |
| 2008-01-17 | Name : Debian Security Advisory DSA 535-1 (squirrelmail) File : nvt/deb_535_1.nasl |
| 2005-11-03 | Name : Open WebMail Logindomain Parameter Cross-Site Scripting Vulnerability File : nvt/openwebmail_logindomain_xss.nasl |
| 2005-11-03 | Name : Open WebMail vacation.pl Arbitrary Command Execution File : nvt/openwebmail_vacation_input_validation.nasl |
| 2005-11-03 | Name : SquirrelMail From Email header HTML injection vulnerability File : nvt/squirrelmail_html_injection_vuln.nasl |
Nessus® Vulnerability Scanner
| id | Description |
|---|---|
| 2005-09-21 | Name: The remote web server contains a PHP script which is vulnerable to a cross-si... File: openwebmail_sessionid_xss.nasl - Type: ACT_GATHER_INFO |
| 2005-05-04 | Name: The remote web server contains a Perl application that allows execution of ar... File: openwebmail_perl_open.nasl - Type: ACT_GATHER_INFO |
| 2005-02-16 | Name: The remote webmail server is affected by a cross-site scripting flaw. File: openwebmail_logindomain_xss.nasl - Type: ACT_ATTACK |
| 2004-09-29 | Name: The remote Debian host is missing a security-related update. File: debian_DSA-535.nasl - Type: ACT_GATHER_INFO |
| 2004-08-30 | Name: The remote Gentoo host is missing one or more security-related patches. File: gentoo_GLSA-200406-08.nasl - Type: ACT_GATHER_INFO |
| 2004-08-06 | Name: The remote host has an application that is affected by multiple cross-site sc... File: squirrelmail_html_injection_vuln.nasl - Type: ACT_GATHER_INFO |
| 2004-07-23 | Name: The remote Fedora Core host is missing a security update. File: fedora_2004-159.nasl - Type: ACT_GATHER_INFO |
| 2004-07-23 | Name: The remote Fedora Core host is missing a security update. File: fedora_2004-160.nasl - Type: ACT_GATHER_INFO |
| 2004-07-06 | Name: Arbitrary commands may be run on the remote host. File: openwebmail_vacation_input_validation.nasl - Type: ACT_GATHER_INFO |
| 2004-07-06 | Name: The remote Red Hat host is missing a security update. File: redhat-RHSA-2004-240.nasl - Type: ACT_GATHER_INFO |
| 2004-05-05 | Name: The remote service is vulnerable to injection attacks allowing command execut... File: squirrelmail_143.nasl - Type: ACT_GATHER_INFO |
| 2003-03-19 | Name: The remote host has an application that is affected by multiple vulnerabilities. File: openwebmail_cmd_exec.nasl - Type: ACT_GATHER_INFO |
