[23665] in bugtraq
IMail Web Service User Aliases / Mailing Lists Admin Vulnerability
daemon@ATHENA.MIT.EDU (Zeeshan Mustafa)
Mon Dec 31 18:38:36 2001
Date: 31 Dec 2001 22:31:16 -0000
Message-ID: <20011231223116.4338.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Zeeshan Mustafa <security@zeeshan.net>
To: bugtraq@securityfocus.com
IMail Web Service User Aliases / Mailing Lists Admin
Vulnerability
Date : January 1, 2002
Author : Zeeshan Mustafa
[security@zeeshan.net]
Application : IPSwitch IMail Web Service
Versions Test : 7.05/7.04/7.03/7.02/7.01/6.x
Exploitable : Remote
Vendor Status : Notified
Impact of vulnerability : Forced control of user aliases
and mail lists
Overview:
IPSwitch IMail Web Service is a popular
daemon, web-based popper used by
most of the ISPs and hosting companies. A
flaw in IPSwitch IMail Web Service
Version 7.05 allows an admin of the of a
domain hosted on the target machine,
To take control over Aliases' and Lists'
Administration of any domain hosted
on the same machine.
Details:
There is a flaw in the way IMail Web
Service checks correct 'admin' privileged
session for some domain to administrate
aliases. For any domain it *only* checks
if the current user is admin or not, rather
than checking if the current
user is admin on the current domain? An
attacker could list/view/add/edit/delete
user aliases and mailing lists.
Proof of Concept:
Vulnerability 1:
================
Objective: To administrate the user aliases.
Example:
http://<hostname>:8383/<session
id>/aliasadmin.<rnd>.cgi?mbx=Main&Domain=[mail
host]
<hostname>: Hostname of the target
machine.
<session id>: Random session id.
<rnd>: Some 5 digits random number.
[mail host]: (optional) Host of which you
want to administrate the aliases.
Vulnerability 2:
================
Objective: To administrate the mailing lists.
Example:
http://<hostname>:8383/<session
id>/listadm1.<rnd>.cgi?mbx=Main&Domain=[mail
host]
<hostname>: Hostname of the target
machine.
<session id>: Random session id.
<rnd>: Some 5 digits random number.
[mail host]: (optional) Host of which you
want to administrate the mailing lists.
