'IMail Web Service User Aliases / Mailing Lists Admin Vulnerability'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    IMail Web Service User Aliases / Mailing Lists Admin Vulnerability
From:       Zeeshan Mustafa <security () zeeshan ! net>
Date:       2001-12-31 22:31:16
[Download RAW message or body]



IMail Web Service User Aliases / Mailing Lists Admin 
Vulnerability

Date                    : January 1, 2002
Author                  : Zeeshan Mustafa 
[security@zeeshan.net]
Application             : IPSwitch IMail Web Service
Versions Test           : 7.05/7.04/7.03/7.02/7.01/6.x
Exploitable             : Remote
Vendor Status           : Notified
Impact of vulnerability : Forced control of user aliases 
and mail lists


Overview:

	IPSwitch IMail Web Service is a popular 
daemon, web-based popper used by
	most of the ISPs and hosting companies. A 
flaw in IPSwitch IMail Web Service
	Version 7.05 allows an admin of the of a 
domain hosted on the target machine,
	To take control over Aliases' and Lists' 
Administration of any domain hosted
	on the same machine.

Details:

	There is a flaw in the way IMail Web 
Service checks correct 'admin' privileged
	session for some domain to administrate 
aliases. For any domain it *only* checks
	if the current user is admin or not, rather 
than checking if the current
	user is admin on the current domain? An 
attacker could list/view/add/edit/delete
	user aliases and mailing lists.

Proof of Concept:

Vulnerability 1:
================

	Objective: To administrate the user aliases.
	Example: 

	http://<hostname>:8383/<session 
id>/aliasadmin.<rnd>.cgi?mbx=Main&Domain=[mail 
host]
	<hostname>: Hostname of the target 
machine.
	<session id>: Random session id.
	<rnd>: Some 5 digits random number.
	[mail host]: (optional) Host of which you 
want to administrate the aliases.
	
Vulnerability 2:
================

	Objective: To administrate the mailing lists.
	Example: 

	http://<hostname>:8383/<session 
id>/listadm1.<rnd>.cgi?mbx=Main&Domain=[mail 
host]
	<hostname>: Hostname of the target 
machine.
	<session id>: Random session id.
	<rnd>: Some 5 digits random number.
	[mail host]: (optional) Host of which you 
want to administrate the mailing lists.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic