I got a critical vulnerability issue with that file.
Mailnews.cgi fails to check remote user-supplied input for shell metacharacters. A remote attacker can insert a new user to the mailnews’ user file which includes malicious shell commands in the username field. Upon displaying this data, the embedded commands will execute with the privileges of the web server process.
what is the implication of deleting this file?
what is this file for?
Hi @Hendrik_Buchwald
sorry, it was found in a sonarqube scan at this pages:
sonarqubeserver/cgi/mailnews.cgi
sonarqubeserver/DYNAMIC/mailnews.cgi
sonarqubeserver/scripts/mailnews.cgi
sonarqubeserver/cgi-bin/mailnews.cgi
sonarqubeserver/cgibin/mailnews.cgi
sonarqubeserver/script/mailnews.cgi
sonarqubeserver/cgi-local/mailnews.cgi
sonarqubeserver/htbin/mailnews.cgi
sonarqubeserver/cgi-win/mailnews.cgi
Thanks! There are no such files in SonarQube. I assume that you used a tool to scan for it, so the likely explanation is that it is reporting false-positives. Have you tried accessing the files in your browser?