CVE-2006-5478

Novell eDirectory 8.x-8.8.x - Remote Code Execution via Long HTTP Host Header or Dot in Username

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2006-5478. PoCs published by Metasploit, MC, Expanders, including Metasploit module exploits/windows/http/edirectory_host.

AI-analyzed exploit summary This exploit targets a stack buffer overflow in Novell eDirectory 8.8.1 via an overly long HTTP Host header. It leverages SEH overwrites to achieve remote code execution on Windows systems.

Description

Multiple stack-based buffer overflows in Novell eDirectory 8.8.x before 8.8.1 FTF1, and 8.x up to 8.7.3.8, and Novell NetMail before 3.52e FTF2, allow remote attackers to execute arbitrary code via (1) a long HTTP Host header, which triggers an overflow in the BuildRedirectURL function; or vectors related to a username containing a . (dot) character in the (2) SMTP, (3) POP, (4) IMAP, (5) HTTP, or (6) Networked Messaging Application Protocol (NMAP) Netmail services.

Exploits (5)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16773

This exploit targets a stack buffer overflow in Novell eDirectory 8.8.1 via an overly long HTTP Host header. It leverages SEH overwrites to achieve remote code execution on Windows systems.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Novell eDirectory 8.8.1
No auth needed
Prerequisites: Network access to the target's HTTP interface (port 8028)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by MC · rubyremotenovell
https://www.exploit-db.com/exploits/28837

This exploit targets a stack-based buffer overflow in Novell eDirectory's iMonitor web interface via an overly long HTTP Host header. It leverages SEH overwrites to execute arbitrary code with administrative privileges.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Novell eDirectory 8.8.1
No auth needed
Prerequisites: Network access to port 8028 on the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Expanders · cremotenovell
https://www.exploit-db.com/exploits/28836

This exploit targets a stack-based buffer overflow in Novell eDirectory's iMonitor (CVE-2006-5478) to achieve remote code execution. It uses a reverse shell payload and overwrites the Second Exception Handler for control flow manipulation.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Novell eDirectory <= 9.0
No auth needed
Prerequisites: Network access to vulnerable eDirectory iMonitor service (default port 8028) · Target platform must match one of the provided return addresses
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Manuel Santamarina Suarez · perlremotenovell
https://www.exploit-db.com/exploits/28835

This exploit targets a stack-based buffer overflow in Novell eDirectory 8.8 NDS Server iMonitor. It sends a maliciously crafted HTTP request with an oversized 'Host' header containing a return address and shellcode to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Novell eDirectory 8.8 NDS Server
No auth needed
Prerequisites: Network access to the target server on port 8028 · Target server running Novell eDirectory 8.8 with vulnerable iMonitor component
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GREAT
rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/edirectory_host.rb

This Metasploit module exploits a stack buffer overflow in Novell eDirectory 8.8.1 via an overly long HTTP Host header, leading to remote code execution. It uses SEH overwrites and a custom payload to achieve exploitation.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Novell eDirectory 8.8.1
No auth needed
Prerequisites: Network access to the target's HTTP interface (port 8028) · Target running Novell eDirectory 8.8.1
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (17)

Core 17
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/20655
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/449899/100/0/threaded
Third Party Advisory x_refsource_misc
http://www.zerodayinitiative.com/advisories/ZDI-06-036.html
Third Party Advisory x_refsource_misc
http://www.zerodayinitiative.com/advisories/ZDI-06-035.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1017141
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1017125
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/450520/100/100/threaded
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/450017/100/0/threaded
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/4141
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/20853
Patch, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/22519

Scores

EPSS 0.8377
EPSS Percentile 99.7%

Details

CWE
CWE-119
Status published
Products (9)
novell/edirectory 8.0
novell/edirectory 8.5
novell/edirectory 8.5.12a
novell/edirectory 8.5.27
novell/edirectory 8.6.2
novell/edirectory 8.7
novell/edirectory 8.7.1 (2 CPE variants)
novell/edirectory 8.7.3
novell/edirectory 8.7.3.8_presp9
Published Oct 24, 2006
Tracked Since Feb 18, 2026