[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: IMail Web Service User Aliases / Mailing Lists Admin Vulnerability
From: Zeeshan Mustafa <security () zeeshan ! net>
Date: 2001-12-31 22:31:16
[Download RAW message or body]
IMail Web Service User Aliases / Mailing Lists Admin
Vulnerability
Date : January 1, 2002
Author : Zeeshan Mustafa
[security@zeeshan.net]
Application : IPSwitch IMail Web Service
Versions Test : 7.05/7.04/7.03/7.02/7.01/6.x
Exploitable : Remote
Vendor Status : Notified
Impact of vulnerability : Forced control of user aliases
and mail lists
Overview:
IPSwitch IMail Web Service is a popular
daemon, web-based popper used by
most of the ISPs and hosting companies. A
flaw in IPSwitch IMail Web Service
Version 7.05 allows an admin of the of a
domain hosted on the target machine,
To take control over Aliases' and Lists'
Administration of any domain hosted
on the same machine.
Details:
There is a flaw in the way IMail Web
Service checks correct 'admin' privileged
session for some domain to administrate
aliases. For any domain it *only* checks
if the current user is admin or not, rather
than checking if the current
user is admin on the current domain? An
attacker could list/view/add/edit/delete
user aliases and mailing lists.
Proof of Concept:
Vulnerability 1:
================
Objective: To administrate the user aliases.
Example:
http://<hostname>:8383/<session
id>/aliasadmin.<rnd>.cgi?mbx=Main&Domain=[mail
host]
<hostname>: Hostname of the target
machine.
<session id>: Random session id.
<rnd>: Some 5 digits random number.
[mail host]: (optional) Host of which you
want to administrate the aliases.
Vulnerability 2:
================
Objective: To administrate the mailing lists.
Example:
http://<hostname>:8383/<session
id>/listadm1.<rnd>.cgi?mbx=Main&Domain=[mail
host]
<hostname>: Hostname of the target
machine.
<session id>: Random session id.
<rnd>: Some 5 digits random number.
[mail host]: (optional) Host of which you
want to administrate the mailing lists.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic