Instant Web Mail could allow the execution of POP3 commands
| instant-webmail-pop-commands (8650) |  High Risk |
Description:
Instant Web Mail could allow a remote attacker to execute arbitrary commands on the system. A remote attacker could embed POP3 commands in an email message or an email header, or include a URL that is linked to a malicious script to execute arbitrary commands on an Instant Web Mail user's computer.
Platforms Affected:
- Understrøm, Instant Web Mail 0.59 and prior
Remedy:
Upgrade to the latest version of Instant Web Mail (0.60 or later), available from the Instant Web Mail Web site. See References.
Consequences:
Gain Access
References:
- BugTraq Mailing List, Sat Mar 23 2002 - 16:30:01 CST, Instant Web Mail additional POP3 commands and mail headers at http://archives.neohapsis.com/archives/bugtraq/2002-03/0316.html.
- Instant Web Mail Web site, Instant Web Mail at http://instantwebmail.sourceforge.net/#changeLog.
- BID-4361: Instant Web Mail POP Command Execution Vulnerability
- CVE-2002-0490: Instant Web Mail before 0.60 does not properly filter CR/LF sequences, which allows remote attackers to (1) execute arbitrary POP commands via the id parameter in message.php, or (2) modify certain mail message headers via numerous parameters in write.php.
Reported:
Mar 23, 2002
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.
For corrections or additions please email xforce@iss.net