Actually, this is a big problem if you are hosting multiple domains since it applies to domain admins. If you host multiple domains and give each domain an account with domain admin access, that account can be used to modify/add/delete users and aliases in _other_ domains. The problem is that I trust a domain admin only w/their domain but the vulnerability circumvents that.
I have tested this w/6.06 and it does allow an admin for one domain to have rights to admin another domain's users and aliases--definitely not a good thing. If I'm missing something or someone has any more info, please let me know. (I posted another message earlier w/a workaround but I'm not sure if it is still in the queue or got lost). Chris Scott Host Orlando > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry > Sent: Thursday, January 03, 2002 2:05 PM > To: [EMAIL PROTECTED] > Subject: Re: [IMail Forum] IMail Web Service User Aliases / Mailing > Lists Admin Vulnerability > > > > >I saw this following IMail vulnerabilty posted on bugtraq. Does anyone > >know a fix for it? > > It's been posted here about half a dozen times in the past week, > and since > it is such a minor problem, people don't seem to be too > concerned. Basically, the problem only occurs if you give power > to people > you don't trust. I'm sure Ipswitch will take care of this, but > it doesn't > seem to be too pressing of an issue. A hacker can't take advantage of > this, only someone you have given power to can. > > -Scott > --- > Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for > IMail. http://www.declude.com > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > > Please visit http://www.ipswitch.com/support/mailing-lists.html > to be removed from this list. > > An Archive of this list is available at: > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > > Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
