SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   IMail Server Vendors:   Ipswitch
Ipswitch IMail Server Access Control Flaw Lets Remote Administrators for One Hosted Domain Access Administrator Functions for a Different Hosted Domain
SecurityTracker Alert ID:  1003082
SecurityTracker URL:  http://securitytracker.com/id/1003082
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 1 2002
Impact:   Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 7.05, 7.04, 7.03, 7.02, 7.01, 6.x
Description:   A vulnerability was reported in Ipswitch's IMail server. A remote user with administrative privileges may access administrative functions of a different hosted domain's web mail service.

A remote user with administrative privileges for one hosted domain may access the "Alias" and "List" administration controls of another hosted domain if the IMail server has multiple hosted domains.

It is reported that IMail only validates to determine if the remote user has administrative privileges in their domain and does not determine if the remote user is an administrator within the current domain. As a result, the remote user can list, view, add, edit, or delete the user aliases and mailing lists of the current domain.

Demonstration exploit transcripts are provided in the Source Message.

The vendor has reportedly been notified.

Impact:   A remote user with administrative users in one domain can access the user aliases and mailing list administrative functions in a different domain.
Solution:   No solution was available at the time of this entry.
Vendor URL:  ipswitch.com/products/IMail_Server/index.html (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (NT), Windows (2000), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  IMail Web Service User Aliases / Mailing Lists Admin Vulnerability




IMail Web Service User Aliases / Mailing Lists Admin 
Vulnerability

Date                    : January 1, 2002
Author                  : Zeeshan Mustafa 
[security@zeeshan.net]
Application             : IPSwitch IMail Web Service
Versions Test           : 7.05/7.04/7.03/7.02/7.01/6.x
Exploitable             : Remote
Vendor Status           : Notified
Impact of vulnerability : Forced control of user aliases 
and mail lists


Overview:

	IPSwitch IMail Web Service is a popular 
daemon, web-based popper used by
	most of the ISPs and hosting companies. A 
flaw in IPSwitch IMail Web Service
	Version 7.05 allows an admin of the of a 
domain hosted on the target machine,
	To take control over Aliases' and Lists' 
Administration of any domain hosted
	on the same machine.

Details:

	There is a flaw in the way IMail Web 
Service checks correct 'admin' privileged
	session for some domain to administrate 
aliases. For any domain it *only* checks
	if the current user is admin or not, rather 
than checking if the current
	user is admin on the current domain? An 
attacker could list/view/add/edit/delete
	user aliases and mailing lists.

Proof of Concept:

Vulnerability 1:
================

	Objective: To administrate the user aliases.
	Example: 

	http://<hostname>:8383/<session 
id>/aliasadmin.<rnd>.cgi?mbx=Main&Domain=[mail 
host]
	<hostname>: Hostname of the target 
machine.
	<session id>: Random session id.
	<rnd>: Some 5 digits random number.
	[mail host]: (optional) Host of which you 
want to administrate the aliases.
	
Vulnerability 2:
================

	Objective: To administrate the mailing lists.
	Example: 

	http://<hostname>:8383/<session 
id>/listadm1.<rnd>.cgi?mbx=Main&Domain=[mail 
host]
	<hostname>: Hostname of the target 
machine.
	<session id>: Random session id.
	<rnd>: Some 5 digits random number.
	[mail host]: (optional) Host of which you 
want to administrate the mailing lists.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC