[VIM] Info on Unspecified Webmail Flaw Fixed in Winmail 4.3?

Steven M. Christey coley at linus.mitre.org
Thu Mar 30 01:31:02 EST 2006


On Wed, 29 Mar 2006, George A. Theall wrote:

> Does anyone have any specifics about the Winmail Server flaw referenced
> by CVE-2006-1250, BID 17009, and OSVDB 23877? All point to the changelog
> for version 4.3(Build 0302), presumably item 9, which says: "Fixed some
> security problem of Webmail."

Sorry - CVE-2006-1250's only additional data references that particular
changelog item, so there's no other information.

> Earlier today, I set up this newer version and tried to exploit the
> first issue (directory traversal when creating session files) without
> success. This together with the timing of the release makes me suspect
> those issues are collectively what the vendor considers to have
> addressed in 4.3

You probably know this, but the timing of releases is shaky evidence,
especially in products with a vulnerability history and an undetermined
reliability when it comes to acknowledging/fixing issues.  With this lack
of evidence, we decided it was best to create a separate identifier for
the changelog item above, rather than guess that maybe the changelog was
really dealing with CVE-2005-3811 and CVE-2005-3692.

I see that their web site requires you to register to even contact their
sales staff, otherwise I would have sent them an email asking them for
clarification.

- Steve


More information about the VIM mailing list