PT-2008-6108 · U Mail · U-Mail Webmail Server

Shennan Wang

Published

2008-11-05

Updated

2018-10-11

CVE-2008-4932

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions U-Mail Webmail server version 4.91

Description The issue allows remote attackers to overwrite arbitrary files by providing an absolute pathname in the path parameter and arbitrary content in the content parameter in the webmail/modules/filesystem/edit.php file. This can be leveraged for code execution by writing to a file under the web document root.

Recommendations For U-Mail Webmail server version 4.91, restrict access to the webmail/modules/filesystem/edit.php file to minimize the risk of exploitation. Avoid using the path and content parameters in this file until the issue is resolved.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2008-4932

Affected Products

U-Mail Webmail Server

PT-2008-6108 · U Mail · U-Mail Webmail Server

CVE-2008-4932

Weakness Enumeration

Related Identifiers

Affected Products

References · 7