CVE-2002-0490 Information

Description

Instant Web Mail before 0.60 does not properly filter CR/LF sequences which allows remote attackers to (1) execute arbitrary POP commands via the id parameter in message.php or (2) modify certain mail message headers via numerous parameters in write.php.

Reference

http://instantwebmail.sourceforge.net/changeLog http://www.iss.net/security_center/static/8650.php http://www.securityfocus.com/archive/1/264041 http://www.securityfocus.com/bid/4361