Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

IMail Web Service User Aliases / Mailing Lists Admin Vulnerability

From: Zeeshan Mustafa <security () zeeshan net>
Date: 31 Dec 2001 22:31:16 -0000


IMail Web Service User Aliases / Mailing Lists Admin 
Vulnerability

Date                    : January 1, 2002
Author                  : Zeeshan Mustafa 
[security () zeeshan net]
Application             : IPSwitch IMail Web Service
Versions Test           : 7.05/7.04/7.03/7.02/7.01/6.x
Exploitable             : Remote
Vendor Status           : Notified
Impact of vulnerability : Forced control of user aliases 
and mail lists


Overview:

        IPSwitch IMail Web Service is a popular 
daemon, web-based popper used by
        most of the ISPs and hosting companies. A 
flaw in IPSwitch IMail Web Service
        Version 7.05 allows an admin of the of a 
domain hosted on the target machine,
        To take control over Aliases' and Lists' 
Administration of any domain hosted
        on the same machine.

Details:

        There is a flaw in the way IMail Web 
Service checks correct 'admin' privileged
        session for some domain to administrate 
aliases. For any domain it *only* checks
        if the current user is admin or not, rather 
than checking if the current
        user is admin on the current domain? An 
attacker could list/view/add/edit/delete
        user aliases and mailing lists.

Proof of Concept:

Vulnerability 1:
================

        Objective: To administrate the user aliases.
        Example: 

        http://<hostname>:8383/<session 
id>/aliasadmin.<rnd>.cgi?mbx=Main&Domain=[mail 
host]
        <hostname>: Hostname of the target 
machine.
        <session id>: Random session id.
        <rnd>: Some 5 digits random number.
        [mail host]: (optional) Host of which you 
want to administrate the aliases.
        
Vulnerability 2:
================

        Objective: To administrate the mailing lists.
        Example: 

        http://<hostname>:8383/<session 
id>/listadm1.<rnd>.cgi?mbx=Main&Domain=[mail 
host]
        <hostname>: Hostname of the target 
machine.
        <session id>: Random session id.
        <rnd>: Some 5 digits random number.
        [mail host]: (optional) Host of which you 
want to administrate the mailing lists.
Previous By Date Next
Previous By Thread Next

Current thread: