CVE-2005-4556
published 2005-12-28CVE-2005-4556: PHP remote file include vulnerability in IceWarp Web Mail 5.5.1, as used by Merak Mail Server 8.3.0r and VisNetic Mail Server version 8.3.0 build 1, when…
PriorityP271high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
10.37%
95.2th percentile
PHP remote file include vulnerability in IceWarp Web Mail 5.5.1, as used by Merak Mail Server 8.3.0r and VisNetic Mail Server version 8.3.0 build 1, when register_globals is enabled, allows remote attackers to include arbitrary local and remote PHP files via a URL in the (1) lang_settings and (2) language parameters in (a) accounts/inc/include.php and (b) admin/inc/include.php.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| deerfield | visnetic_mail_server | — | — |
| deerfield | visnetic_mail_server | — | — |
| icewarp | web_mail | — | — |
| icewarp | web_mail | — | — |
| merak | mail_server | — | — |
| merak | mail_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to /accounts/inc/include.php for the 'language' parameter set to '0' and 'lang_settings[0][1]' containing an external URL (remote file inclusion pattern). ↗
- →Monitor HTTP requests to /admin/inc/include.php for the 'language' parameter set to '0' and 'lang_settings[0][1]' containing an external URL (remote file inclusion pattern). ↗
- →Alert on requests to accounts/inc/include.php or admin/inc/include.php where the 'language' or 'lang_settings' parameters contain a full Windows path with a drive letter (e.g., C:\), indicating local file inclusion via directory traversal bypassing the securepath function. ↗
- →This vulnerability was confirmed actively exploited in the wild as of July 2007; treat any hits on these paths as high-priority. ↗
- ·The exploit targets IceWarp Web Mail running on a non-standard port (32000); detection rules should not be limited to port 80/443 but should also cover port 32000. ↗
- ·Both the 'language' parameter (accounts/inc/include.php) and the 'lang_settings' parameter (admin/inc/include.php) are attack vectors; detection must cover both parameters and both paths. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p4mm-wpp7-57hp: PHP remote file include vulnerability in IceWarp Web Mail 5
ghsa_unreviewed·2022-05-01
CVE-2005-4556 [HIGH] GHSA-p4mm-wpp7-57hp: PHP remote file include vulnerability in IceWarp Web Mail 5
PHP remote file include vulnerability in IceWarp Web Mail 5.5.1, as used by Merak Mail Server 8.3.0r and VisNetic Mail Server version 8.3.0 build 1, when register_globals is enabled, allows remote attackers to include arbitrary local and remote PHP files via a URL in the (1) lang_settings and (2) language parameters in (a) accounts/inc/include.php and (b) admin/inc/include.php.
GHSA
GHSA-wq6x-gvm4-wgv4: Absolute path directory traversal vulnerability in (a) MERAK Mail Server for Windows 8
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2006-0817 [HIGH] GHSA-wq6x-gvm4-wgv4: Absolute path directory traversal vulnerability in (a) MERAK Mail Server for Windows 8
Absolute path directory traversal vulnerability in (a) MERAK Mail Server for Windows 8.3.8r with before IceWarp Web Mail 5.6.1 and (b) VisNetic MailServer before 8.5.0.5 allows remote attackers to include arbitrary files via a full Windows path and drive letter in the (1) language parameter in accounts/inc/include.php and (2) lang_settings parameter in admin/inc/include.php, which is not properly sanitized by the securepath function, a related issue to CVE-2005-4556.
VulnCheck
deerfield visnetic_mail_server Improper Control of Generation of Code ('Code Injection')
vulncheck·2005·CVSS 7.5
CVE-2005-4556 [HIGH] deerfield visnetic_mail_server Improper Control of Generation of Code ('Code Injection')
deerfield visnetic_mail_server Improper Control of Generation of Code ('Code Injection')
PHP remote file include vulnerability in IceWarp Web Mail 5.5.1, as used by Merak Mail Server 8.3.0r and VisNetic Mail Server version 8.3.0 build 1, when register_globals is enabled, allows remote attackers to include arbitrary local and remote PHP files via a URL in the (1) lang_settings and (2) language parameters in (a) accounts/inc/include.php and (b) admin/inc/include.php.
Affected: deerfield visnetic_mail_server
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.exploit-db.com/exploits/26980
No detection rules found.
Exploit-DB
IceWarp Universal WebMail - '/accounts/inc/include.php' Multiple Remote File Inclusions
exploitdb·2005-12-27
CVE-2005-4556 IceWarp Universal WebMail - '/accounts/inc/include.php' Multiple Remote File Inclusions
IceWarp Universal WebMail - '/accounts/inc/include.php' Multiple Remote File Inclusions
---
source: https://www.securityfocus.com/bid/16069/info
IceWarp Universal WebMail is prone to multiple input-validation vulnerabilities. Deerfield VisNetic Mail Server and Merak Mail Server integrate IceWarp Universal WebMail into their suites.
An attacker can exploit these issues to include arbitrary local or remote files containing malicious PHP code and execute it in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.
Additionally, an attacker can exploit these issues to obtain the contents of local files.
Merak Mail Server 8.3.0.r and VisNetic MailServer 8.3.0 build 1 are affected by these issues
Exploit-DB
IceWarp Universal WebMail - '/admin/inc/include.php' Multiple Remote File Inclusions
exploitdb·2005-12-27
CVE-2005-4556 IceWarp Universal WebMail - '/admin/inc/include.php' Multiple Remote File Inclusions
IceWarp Universal WebMail - '/admin/inc/include.php' Multiple Remote File Inclusions
---
source: https://www.securityfocus.com/bid/16069/info
IceWarp Universal WebMail is prone to multiple input-validation vulnerabilities. Deerfield VisNetic Mail Server and Merak Mail Server integrate IceWarp Universal WebMail into their suites.
An attacker can exploit these issues to include arbitrary local or remote files containing malicious PHP code and execute it in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.
Additionally, an attacker can exploit these issues to obtain the contents of local files.
Merak Mail Server 8.3.0.r and VisNetic MailServer 8.3.0 build 1 are affected by these issues.
No writeups or analysis indexed.
http://marc.info/?l=full-disclosure&m=113570229524828&w=2http://secunia.com/advisories/17046http://secunia.com/advisories/17865http://secunia.com/secunia_research/2005-62/advisory/http://securitytracker.com/id?1015412http://www.osvdb.org/22077http://www.osvdb.org/22078http://www.securityfocus.com/archive/1/420255/100/0/threadedhttp://www.securityfocus.com/bid/16069http://marc.info/?l=full-disclosure&m=113570229524828&w=2http://secunia.com/advisories/17046http://secunia.com/advisories/17865http://secunia.com/secunia_research/2005-62/advisory/http://securitytracker.com/id?1015412http://www.osvdb.org/22077http://www.osvdb.org/22078http://www.securityfocus.com/archive/1/420255/100/0/threadedhttp://www.securityfocus.com/bid/16069
2005-12-28
Published
Exploited in the wild