CVE-2002-1385

Name of the Vulnerable Software and Affected Versions Open WebMail versions 1.81 and earlier

Description The issue allows local users to execute arbitrary code via .. (dot dot) sequences in a login name. This can be achieved by manipulating the sessionid parameter for openwebmail-abook.pl, which is used to find a configuration file that specifies additional code to be executed.

Recommendations For Open WebMail versions 1.81 and earlier, consider restricting access to the openwebmail-abook.pl script until a fix is available. As a temporary workaround, avoid using the sessionid parameter with untrusted input to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.