CVE-2006-0891

Name of the Vulnerable Software and Affected Versions NOCC Webmail version 1.0

Description The issue allows remote attackers to include arbitrary files via .. (dot dot) sequences and a trailing NULL (%00) byte. This can be achieved through several parameters and an HTTP header field in different PHP files. Specifically, the SESSION['nocc theme'] parameter in html/footer.php, the lang and theme parameters, and the Accept-Language HTTP header field in index.php when force default lang is disabled, are vulnerable. An example of exploitation includes injecting PHP code into a profile and accessing it using the lang parameter in index.php.

Recommendations For NOCC Webmail version 1.0, as a temporary workaround, consider restricting access to the html/footer.php and index.php files until a patch is available. Additionally, disabling the use of the lang and theme parameters, as well as the Accept-Language HTTP header field when force default lang is disabled, can help minimize the risk of exploitation. Avoid using the SESSION['nocc theme'] parameter in html/footer.php until the issue is resolved.