Hi Richard, Here is what I sent out to the IMGate list regarding this problem and a fix until Ipswitch releases a patch:
<snip> Verified on IMail 6.06 running HKSI Classic templates. At least on 6.06 there is no point and click way to disable admin functions for domain and host admins from WebMail using the GUI--only disabling WebMail completely. A quick fix is to rename the HTML files that are used in the Admin options for domain admins (hopefully you trust your host admins ;-). This way, when a user chooses the menu option (or an attacker types in the URL), they will get a message stating the template is invalid. On my installation, this meant renaming the following: aliasadmin.html (for alias administration) chghostrule.html (for domain processing rules) editnews.html (for news editing) listadm.html (for list administration) usradmin.html (for user administration) You can stick a .foo (or something else) extension on them for easy sorting and renaming once Ipswitch comes out with a patch. Note, YMMV according to IMail version and template type and version. </snip> Chris Scott Host Orlando, Inc. http://www.hostorlando.com/ > ---------------------------------------------------------------------- > > Date: Wed, 02 Jan 2002 10:48:55 -0800 > From: Richard Wong <[EMAIL PROTECTED]> > Subject: [IMail Forum] IMail Web Service User Aliases / Mailing > Lists Admin > Reply-To: [EMAIL PROTECTED] > Happy new year all, > > I saw this following IMail vulnerabilty posted on bugtraq. Does anyone > know of a fix for it? > > Cheers, > > Richard > > > Subject: IMail Web Service User Aliases / Mailing Lists Admin > Vulnerability > > Date: 31 Dec 2001 22:31:16 +0000 > > > > > > > > IMail Web Service User Aliases / Mailing Lists Admin > > Vulnerability > > > > Date : January 1, 2002 > > Author : Zeeshan Mustafa > > [[EMAIL PROTECTED]] > > Application : IPSwitch IMail Web Service > > Versions Test : 7.05/7.04/7.03/7.02/7.01/6.x > > Exploitable : Remote > > Vendor Status : Notified > > Impact of vulnerability : Forced control of user aliases > > and mail lists > > > > > > Overview: > > > > IPSwitch IMail Web Service is a popular > > daemon, web-based popper used by > > most of the ISPs and hosting companies. A > > flaw in IPSwitch IMail Web Service > > Version 7.05 allows an admin of the of a > > domain hosted on the target machine, > > To take control over Aliases' and Lists' > > Administration of any domain hosted > > on the same machine. > > > > Details: > > > > There is a flaw in the way IMail Web > > Service checks correct 'admin' privileged > > session for some domain to administrate > > aliases. For any domain it *only* checks > > if the current user is admin or not, rather > > than checking if the current > > user is admin on the current domain? An > > attacker could list/view/add/edit/delete > > user aliases and mailing lists. > > > > Proof of Concept: > > > > Vulnerability 1: > > ================ > > > > Objective: To administrate the user aliases. > > Example: > > > > http://<hostname>:8383/<session > > id>/aliasadmin.<rnd>.cgi?mbx=Main&Domain=[mail > > host] > > <hostname>: Hostname of the target > > machine. > > <session id>: Random session id. > > <rnd>: Some 5 digits random number. > > [mail host]: (optional) Host of which you > > want to administrate the aliases. > > > > Vulnerability 2: > > ================ > > > > Objective: To administrate the mailing lists. > > Example: > > > > http://<hostname>:8383/<session > > id>/listadm1.<rnd>.cgi?mbx=Main&Domain=[mail > > host] > > <hostname>: Hostname of the target > > machine. > > <session id>: Random session id. > > <rnd>: Some 5 digits random number. > > [mail host]: (optional) Host of which you > > want to administrate the mailing lists. > Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
