[原文]Multiple directory traversal vulnerabilities Merak Mail Server 7.4.5 with Icewarp Web Mail 5.2.7, and possibly other versions, allow remote attackers to (1) create arbitrary directories via a .. (dot dot) in the user parameter to viewaction.html or (2) rename arbitrary files via a ....// (doubled dot dot) in the folderold or folder parameters to folders.html.
IceWarp Merak Mail Server with IceWarp Web Mail contains a flaw that allows a remote attacker to arbitrary create directories. The issue is due to the 'viewaction.html' page not properly sanitizing user input, specifically traversal style attacks (../) supplied via the 'folder' variable.
Upgrade to Merak Mail Server 7.6.0 with IceWarp Web Mail 5.3.0 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: Disable the IceWarp Web Mail service.