[原文]accountsettings_add.html in Merak Mail Server 7.4.5 with Icewarp Web Mail 5.2.7 and possibly other versions allow remote attackers to create text files with arbitrary content via the accountid parameter.
IceWarp Web Mail contains a flaw that may allow a remote attacker to create arbitrary files on the system. The issue is due to the accountsettings_add.html script not properly sanitizing user input and allowing custom content to be specified. The server will create a file called "accounts.dat" with the user supplied input which may lead to further privilege escalation.
Upgrade to version 5.2.8 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.