Summary
The host is running Kerio Mail Server/Connect and is prone to plaintext command injection vulnerability.
Impact
Successful exploitation will allow attacker to execute arbitrary commands in the context of the user running the application.
Impact Level: Application
Solution
No solution or patch was made available for at least one year since disclosure of this vulnerability. Likely none will be provided anymore.
General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one.
Insight
This flaw is caused by an error within the 'STARTTLS' implementation where the switch from plaintext to TLS is implemented below the application's I/O buffering layer, which could allow attackers to inject commands during the plaintext phase of the protocol via man-in-the-middle attacks.
Affected
Kerio MailServer versions 6.x Kerio Connect version 7.1.4 build 2985
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2011-1506 -
CVSS Base Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- Adobe ColdFusion HTTP Response Splitting Vulnerability
- Andromeda Streaming MP3 Server Cross Site Scripting Vulnerability
- AbanteCart Multiple Cross-Site Scripting Vulnerabilities
- Alt-N WebAdmin Remote Source Code Information Disclosure Vulnerability
- Aardvark Topsites <= 4.2.2 Remote File Inclusion Vulnerability