ISS X-Force Database: merak-icewarp-user-path-disclosure(19152): Merak Mail Server with IceWarp Web Mail user path disclosure

Merak Mail Server with IceWarp Web Mail user path disclosure

merak-icewarp-user-path-disclosure (19152)

Medium Risk

Description:

Merak Mail Server could allow a remote attacker with an account to obtain sensitive information, caused by a vulnerability in the IceWarp Web Mail service. A remote attacker could send a specially-crafted URL request to the calendar_d.html, the calendar_m.html, the calendar_w.html or the calendar_y.html script to cause the full installation path of the server to be disclosed.

Platforms Affected:

IceWarp Software, IceWarp Web Mail 5.3.2
IceWarp Software, Merak Mail Server 7.6.4r

Remedy:

Upgrade to the latest version of Merak Mail Server (7.6.4r with Icewarp Web Mail 5.3.2 or later), available from the Merak Mail Server Web site. See References.

As a workaround, disable the Icewarp Web Mail service.

Consequences:

Obtain Information

References:

BugTraq Mailing List, Fri Jan 28 2005 - 19:05:54 CST , Multiple vulnerabilities in Icewarp Web Mail 5.3.0: New holes at http://archives.neohapsis.com/archives/bugtraq/2005-01/0318.html.
IceWarp Software Download Web page, IceWarp Universal Webmail at http://www.icewarp.com/downloads/windows_platform/index.php.
Merak Mail Server Web site, Merak Mail Server Software at http://www.merakmailserver.com/Products/Merak_Mail_Server/.
BID-12396: IceWarp Web Mail Multiple Remote Vulnerabilities
CVE-2005-0321: MERAK Mail Server 7.6.0 with Icewarp Web Mail 5.3.0 allows remote authenticated users to gain sensitive information via an HTTP request to (1) calendar_d.html, (2) calendar_m.html, (3) calendar_w.html, or (4) calendar_y.html, which reveal the installation path.

Reported:

Jan 28, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page