Detections
Analytics

Atmail Webmail < 5.4.2 (5.42) Multiple Information Disclosure Vulnerabilities

high Nessus Plugin ID 73618

Language:

Synopsis

The remote web server contains an application that is affected by multiple information disclosure vulnerabilities.

Description

According to its version, the Atmail Webmail install on the remote host is a version prior to 5.4.2 (5.42). It is, therefore, potentially affected by the following vulnerabilities :

 - A weak permissions error exists related to the files 'webmail/libs/Atmail/Config.php' and 'webmail/webadmin/.htpasswd' that could allow disclosure of sensitive information. (CVE-2008-3395)

 - An authentication bypass error exists related to the script 'build-plesk-upgrade.php' that could allow disclosure of sensitive information. (CVE-2008-3579)

Solution

Upgrade to Atmail Webmail 5.4.2 (5.42) or later.

See Also

http://freecode.com/projects/atmail/releases/282536

https://seclists.org/vuln-dev/2008/Jul/1

Plugin Details

Severity: High

ID: 73618

File Name: atmail_webmail_5_42.nasl

Version: 1.11

Type: remote

Family: CGI abuses

Published: 4/18/2014

Updated: 6/5/2024

Configuration: Enable thorough checks

Supported Sensors: Nessus

Enable CGI Scanning: true

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

Vulnerability Information

CPE: cpe:/a:atmail:atmail

Required KB Items: www/atmail_webmail

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No known exploits are available

Patch Publication Date: 8/6/2008

Vulnerability Publication Date: 7/30/2008

Reference Information

CVE: CVE-2008-3395, CVE-2008-3579

BID: 30434

CWE: 264, 287