> I saw this following IMail vulnerabilty posted on bugtraq. > Does anyone know a fix for it? > > IMail Web Service User Aliases / Mailing Lists Admin > Vulnerability > Date : January 1, 2002 > Author : Zeeshan Mustafa > [[EMAIL PROTECTED]] > Application : IPSwitch IMail Web Service > Versions Test : 7.05/7.04/7.03/7.02/7.01/6.x > Exploitable : Remote > Vendor Status : Notified > Impact of vulnerability : Forced control of user aliases > and mail lists < <snip>
I would agree that this is a serious webmail security flaw, and anyone hosting IMail domains for others, and giving out Host Admin rights on their virtual domains to individuals they cannot trust 110%, should be very concerned. Armed with the knowledge in that bugtraq posting, a Host Admin for any one of your virtual domains can easily adminster the aliases and lists of any domain on your server. With many of you using aliases like "sales" and "support", this could have immediate economic impact if they redirected those addresses. And with big lists, imagine someone getting the complete list of subscribers' email addresses, or UNsubscribing everyone for you. Wouldn't that be fun. :| We've been working on this pretty hard today, and have written up a KB article with two different fixes, so if you are at risk you can deal with this problem while waiting on a definitive fix from Ipswitch. Here it is: http://support.answertrack.com/?kb=835 Ron Hornbaker President/CTO . . . . . . . . . . . . http://humankindsystems.com . . . . . . . . . . . . w e c o d e. w e c a r e. . http://AnswerTrack.com - eCRM email tracking solution . http://KillerWebMail.com - the name says it all . http://hksi.net/products - EZSignUp, You'veGotIMail!, etc... . http://hksi.net/testimonials - 2,155 admins can't be wrong Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
