CVE-2002-1385 | Vulnerability Database | Aqua Security

openwebmail_init in Open WebMail 1.81 and earlier allows local users to execute arbitrary code via .. (dot dot) sequences in a login name, such as the name provided in the sessionid parameter for openwebmail-abook.pl, which is used to find a configuration file that specifies additional code to be executed.

Affected Software

Name	Vendor	Start Version	End Version
Open_webmail	Open_webmail	1.7 (including)	1.7 (including)
Open_webmail	Open_webmail	1.8 (including)	1.8 (including)
Open_webmail	Open_webmail	1.71 (including)	1.71 (including)
Open_webmail	Open_webmail	1.81 (including)	1.81 (including)

References

http://marc.info/?l=bugtraq\u0026m=104031696120743\u0026w=2
http://marc.info/?l=bugtraq\u0026m=104032263328026\u0026w=2
http://sourceforge.net/forum/forum.php?thread_id=782605\u0026forum_id=108435
http://www.securityfocus.com/bid/6425
https://exchange.xforce.ibmcloud.com/vulnerabilities/10904
http://marc.info/?l=bugtraq\u0026m=104031696120743\u0026w=2
http://marc.info/?l=bugtraq\u0026m=104032263328026\u0026w=2
http://sourceforge.net/forum/forum.php?thread_id=782605\u0026forum_id=108435
http://www.securityfocus.com/bid/6425
https://exchange.xforce.ibmcloud.com/vulnerabilities/10904

NVD	https://nvd.nist.gov/vuln/detail/CVE-2002-1385
CWE	https://cwe.mitre.org/data/definitions/NVD-Other.html