cbcvebase.
CVE-2005-4556
published 2005-12-28

CVE-2005-4556: PHP remote file include vulnerability in IceWarp Web Mail 5.5.1, as used by Merak Mail Server 8.3.0r and VisNetic Mail Server version 8.3.0 build 1, when…

PriorityP271high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
10.37%
95.2th percentile
PHP remote file include vulnerability in IceWarp Web Mail 5.5.1, as used by Merak Mail Server 8.3.0r and VisNetic Mail Server version 8.3.0 build 1, when register_globals is enabled, allows remote attackers to include arbitrary local and remote PHP files via a URL in the (1) lang_settings and (2) language parameters in (a) accounts/inc/include.php and (b) admin/inc/include.php.

Affected

6 ranges
VendorProductVersion rangeFixed in
deerfieldvisnetic_mail_server
deerfieldvisnetic_mail_server
icewarpweb_mail
icewarpweb_mail
merakmail_server
merakmail_server

Detection & IOCsextracted from sources · hover to see the quote

path/accounts/inc/include.php
path/admin/inc/include.php
port32000
urlhttp://example.com:32000/accounts/inc/include.php?language=0&lang_settings[0][1]=http://[host]/
urlhttp://example.com:32000/admin/inc/include.php?language=0&lang_settings[0][1]=http://[host]/
  • Monitor HTTP requests to /accounts/inc/include.php for the 'language' parameter set to '0' and 'lang_settings[0][1]' containing an external URL (remote file inclusion pattern).
  • Monitor HTTP requests to /admin/inc/include.php for the 'language' parameter set to '0' and 'lang_settings[0][1]' containing an external URL (remote file inclusion pattern).
  • Alert on requests to accounts/inc/include.php or admin/inc/include.php where the 'language' or 'lang_settings' parameters contain a full Windows path with a drive letter (e.g., C:\), indicating local file inclusion via directory traversal bypassing the securepath function.
  • This vulnerability was confirmed actively exploited in the wild as of July 2007; treat any hits on these paths as high-priority.
  • ·The exploit targets IceWarp Web Mail running on a non-standard port (32000); detection rules should not be limited to port 80/443 but should also cover port 32000.
  • ·Both the 'language' parameter (accounts/inc/include.php) and the 'lang_settings' parameter (admin/inc/include.php) are attack vectors; detection must cover both parameters and both paths.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.