CVE-2006-4954

Neon WebMail for Java <5.08 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-4954. PoCs published by Tan Chew Keong.

AI-analyzed exploit summary The provided text describes multiple vulnerabilities in Neon WebMail versions 5.06 and 5.07, including SQL injection, directory traversal, and unauthorized access. It includes example URLs demonstrating how an attacker could exploit these vulnerabilities to manipulate user data or gain administrative access.

Description

The updateuser servlet in Neon WebMail for Java before 5.08 does not validate the in_id parameter, which allows remote attackers to modify information of arbitrary users, as demonstrated by modifying (1) passwords and (2) permissions, (3) viewing profile settings, and (4) creating and (5) deleting users.

Exploits (1)

exploitdb WRITEUP VERIFIED

by Tan Chew Keong · textwebappsjsp

https://www.exploit-db.com/exploits/28609

View Code ZIP pw:eip

The provided text describes multiple vulnerabilities in Neon WebMail versions 5.06 and 5.07, including SQL injection, directory traversal, and unauthorized access. It includes example URLs demonstrating how an attacker could exploit these vulnerabilities to manipulate user data or gain administrative access.

Classification

Writeup 90%

Attack Type

Sqli | Auth Bypass | Other

Complexity

Trivial

Reliability

Theoretical

Target: Neon WebMail 5.06, 5.07 (build.200607050)

No auth needed

Prerequisites: Network access to the target application

MITRE ATT&CK