IMail Web Service User Aliases / Mailing Lists Admin Vulnerability Date : January 1, 2002 Author : Zeeshan Mustafa [security@zeeshan.net] Application : IPSwitch IMail Web Service Versions Test : 7.05/7.04/7.03/7.02/7.01/6.x Exploitable : Remote Vendor Status : Notified Impact of vulnerability : Forced control of user aliases and mail lists Overview: IPSwitch IMail Web Service is a popular daemon, web-based popper used by most of the ISPs and hosting companies. A flaw in IPSwitch IMail Web Service Version 7.05 allows an admin of the of a domain hosted on the target machine, To take control over Aliases' and Lists' Administration of any domain hosted on the same machine. Details: There is a flaw in the way IMail Web Service checks correct 'admin' privileged session for some domain to administrate aliases. For any domain it *only* checks if the current user is admin or not, rather than checking if the current user is admin on the current domain? An attacker could list/view/add/edit/delete user aliases and mailing lists. Proof of Concept: Vulnerability 1: ================ Objective: To administrate the user aliases. Example: http://<hostname>:8383/<session id>/aliasadmin.<rnd>.cgi?mbx=Main&Domain=[mail host] <hostname>: Hostname of the target machine. <session id>: Random session id. <rnd>: Some 5 digits random number. [mail host]: (optional) Host of which you want to administrate the aliases. Vulnerability 2: ================ Objective: To administrate the mailing lists. Example: http://<hostname>:8383/<session id>/listadm1.<rnd>.cgi?mbx=Main&Domain=[mail host] <hostname>: Hostname of the target machine. <session id>: Random session id. <rnd>: Some 5 digits random number. [mail host]: (optional) Host of which you want to administrate the mailing lists.
