CVE-2006-0891

NOCC Webmail 1.0 - Directory Traversal via Session Parameter or HTTP Header

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-0891. PoCs published by rgod.

AI-analyzed exploit summary This exploit targets NOCC Webmail <= 1.0 via arbitrary local file inclusion and attachment filename prediction to achieve remote command execution. It uploads a malicious attachment and includes it to execute commands, installing a backdoor.

Description

Multiple directory traversal vulnerabilities in NOCC Webmail 1.0 allow remote attackers to include arbitrary files via .. (dot dot) sequences and a trailing NULL (%00) byte in (1) the _SESSION['nocc_theme'] parameter in (a) html/footer.php; and (2) the lang and (3) theme parameters and the (4) Accept-Language HTTP header field, when force_default_lang is disabled, in (b) index.php, as demonstrated by injecting PHP code into a profile and accessing it using the lang parameter in index.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by rgod · phpwebappsphp

https://www.exploit-db.com/exploits/1522

View Code ZIP pw:eip

This exploit targets NOCC Webmail <= 1.0 via arbitrary local file inclusion and attachment filename prediction to achieve remote command execution. It uploads a malicious attachment and includes it to execute commands, installing a backdoor.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: NOCC Webmail <= 1.0

Auth required

Prerequisites: POP3 account credentials · Target running NOCC Webmail <= 1.0

MITRE ATT&CK