EMUMail HTTP Host Arbitrary Config File Loading Vulnerability

Emumail is a web mail package available from Emumail, Inc. It is designed for use on Linux, Unix, and Windows systems.

Under some circumstances, it is possible for a local user to gain privileges equal to the HTTP server process. Upon connecting to the server and supplying a malicious HTTP Host value to emumail, it could be possible to force the program to open an arbitrary file. This could addition result in the execution of an arbitrary program, supplied by an attacker with local access to the host.


 

Privacy Statement
Copyright 2010, SecurityFocus