> Verified on IMail 6.06 running HKSI Classic templates. At least on 6.06 > there is no point and click way to disable admin functions for > domain and > host admins from WebMail using the GUI--only disabling WebMail > completely.
Well, you could pretty quickly disable your Host Admins from having any host admin rights by unchecking the Host Admin option from the IMail admin console, or from the web interface. They would then not be able to access any admin features or options. > A quick fix is to rename the HTML files that are used in the > Admin options > for domain admins (hopefully you trust your host admins ;-). > This way, when > a user chooses the menu option (or an attacker types in the > URL), they will > get a message stating the template is invalid. > > On my installation, this meant renaming the following: > > aliasadmin.html (for alias administration) > chghostrule.html (for domain processing rules) Whoa, the bugtraq poster missed one, huh, and it's a BIG one. The chghostrule.html file allows your Host Admins to administer rules (filters) on any domain on the server, including your primary host, so in theory ALL inbound mail could be re-routed or deleted, or all your spam-catching rules could be deleted. I'll be updating our KB article shortly to include that file. Nice catch, Chris. > editnews.html (for news editing) I'll be testing both the editnews.html and editwelc.html files next. Both are of relatively low security importance in webmail, other than perhaps redirecting web browsers with JavaScript or a meta refresh. > listadm.html (for list administration) > usradmin.html (for user administration) I've tested the usradmin.html file for this security flaw against both IMail 6.06 and 7.05, and cannot find the same flaw, so renaming or editing that file is imho unnecessary, and will only cause you more work if you're used to your host admins doing their own user admin. Anyone from Ipswitch wanna step in here and give us an idea of how you're coming on the fix to the iwebmsg service? Ron Hornbaker President/CTO . . . . . . . . . . . . http://humankindsystems.com . . . . . . . . . . . . w e c o d e. w e c a r e. . http://AnswerTrack.com - eCRM email tracking solution . http://KillerWebMail.com - the name says it all . http://hksi.net/products - EZSignUp, You'veGotIMail!, etc... . http://hksi.net/testimonials - 2,155 admins can't be wrong Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
