[vuln.sg] Vulnerability Research Advisory

Neon WebMail for Java Multiple Vulnerabilities

by Tan Chew Keong
Release Date: 2006-09-20

Summary
-------
7 vulnerabilities have been found in Neon WebMail for Java. When
exploited, these vulnerabilities allow executing of arbitrary JSP code,
escalation of user's privileges, manipulating of user's emails and user
account information, disclosure of files on the server, and potentially
cause a DoS via large CPU resource utilisation by the MySQL server.

Tested Versions
---------------
Neon WebMail for Java version 5.06 and 5.07 (build.200607050)

Details
-------
http://vuln.sg/neonmail506-en.html
http://vuln.sg/neonmail506-jp.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/