CVE-2001-1045 in Basilix
Summary
by MITRE
Directory traversal vulnerability in basilix.php3 in Basilix Webmail 1.0.3beta and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the request_id[DUMMY] parameter.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 09/30/2025
The vulnerability identified as CVE-2001-1045 represents a classic directory traversal flaw within the Basilix Webmail 1.0.3beta and earlier versions. This security weakness exists in the basilix.php3 script which processes user input through the request_id[DUMMY] parameter without proper validation or sanitization. The flaw enables malicious actors to manipulate file access paths by exploiting the .. (dot dot) sequence that navigates up directory levels, thereby bypassing intended access controls and potentially gaining unauthorized access to sensitive system files.
This directory traversal vulnerability falls under the Common Weakness Enumeration category CWE-22, which specifically addresses improper limitation of a pathname to a restricted directory. The attack vector leverages the web application's failure to validate user-supplied input before using it in file system operations. When the application processes the request_id[DUMMY] parameter containing directory traversal sequences, it directly incorporates these malicious inputs into file path resolution without adequate sanitization or access control checks.
The operational impact of this vulnerability extends beyond simple information disclosure. An attacker could potentially access critical system files including configuration files, database credentials, application source code, and other sensitive data stored outside the web root directory. The remote nature of this attack means that exploitation does not require local system access, making it particularly dangerous as it can be launched from anywhere on the internet. This vulnerability effectively undermines the web application's security model by allowing arbitrary file access through a single parameter manipulation.
The security implications of CVE-2001-1045 align with tactics described in the MITRE ATT&CK framework under the T1083 technique for file and directory discovery, where adversaries seek to enumerate and access files that may contain sensitive information. The vulnerability also relates to T1566 which encompasses phishing and social engineering techniques that can be used to deliver payloads designed to exploit such directory traversal weaknesses. Organizations running affected versions of Basilix Webmail face significant risk of data breaches and system compromise, as this vulnerability can serve as an initial access point for more sophisticated attacks.
Mitigation strategies for this vulnerability require immediate patching of the affected software to version 1.0.3rc1 or later, which contains the necessary fixes for input validation. Additionally, administrators should implement proper input sanitization measures, including parameter validation, path normalization, and access control restrictions. Network-level protections such as web application firewalls can help detect and block malicious traversal sequences, while regular security audits should verify that all web applications properly validate user input before processing file system operations. The vulnerability also underscores the importance of following secure coding practices and implementing defense-in-depth strategies to prevent similar issues in future software development cycles.