>> Verified on IMail 6.06 running HKSI Classic templates. At least on 6.06 >> there is no point and click way to disable admin functions for >> domain and >> host admins from WebMail using the GUI--only disabling WebMail >> completely. > >Well, you could pretty quickly disable your Host Admins from having any >host admin rights by unchecking the Host Admin option from the IMail admin >console, or from the web interface. They would then not be able to access >any admin features or options. >
Wouldn't this also prevent them from using the Web administration on port 8181 also? > >> A quick fix is to rename the HTML files that are used in the >> Admin options >> for domain admins (hopefully you trust your host admins ;-). >> This way, when >> a user chooses the menu option (or an attacker types in the >> URL), they will >> get a message stating the template is invalid. >> >> On my installation, this meant renaming the following: >> >> aliasadmin.html (for alias administration) >> chghostrule.html (for domain processing rules) > >Whoa, the bugtraq poster missed one, huh, and it's a BIG one. The >chghostrule.html file allows your Host Admins to administer rules >(filters) on any domain on the server, including your primary host, so in >theory ALL inbound mail could be re-routed or deleted, or all your >spam-catching rules could be deleted. I'll be updating our KB article >shortly to include that file. Nice catch, Chris. > > >> editnews.html (for news editing) > >I'll be testing both the editnews.html and editwelc.html files next. Both >are of relatively low security importance in webmail, other than perhaps >redirecting web browsers with JavaScript or a meta refresh. > >> listadm.html (for list administration) >> usradmin.html (for user administration) > >I've tested the usradmin.html file for this security flaw against both >IMail 6.06 and 7.05, and cannot find the same flaw, so renaming or editing >that file is imho unnecessary, and will only cause you more work if you're >used to your host admins doing their own user admin. > We don't run lists on IMail but I figured better safe than sorry just in case. >Anyone from Ipswitch wanna step in here and give us an idea of how you're >coming on the fix to the iwebmsg service? > > >Ron Hornbaker >President/CTO > . . . . . . . . . . . . http://humankindsystems.com > . . . . . . . . . . . . w e c o d e. w e c a r e. > > . http://AnswerTrack.com - eCRM email tracking solution > . http://KillerWebMail.com - the name says it all > . http://hksi.net/products - EZSignUp, You'veGotIMail!, etc... > . http://hksi.net/testimonials - 2,155 admins can't be wrong > > > > >Please visit http://www.ipswitch.com/support/mailing-lists.html >to be removed from this list. > >An Archive of this list is available at: >http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
