[原文]viewaction.html in Merak Mail Server 7.4.5 with Icewarp Web Mail 5.2.7 and possibly other versions allows remote attackers to (1) delete arbitrary files via the originalfolder parameter or (2) move arbitrary files via the messageid parameter.
IceWarp Merak Mail Server with IceWarp Web Mail contains a flaw that allows a remote attacker to arbitrary manipulate and/or delete files and directories. The issue is due to the 'viewaction.html' page not properly sanitizing user input, specifically traversal style attacks (...//) supplied via the 'messageid' variable.
Upgrade to Merak Mail Server 7.6.0 with IceWarp Web Mail 5.3.0 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: Disable the IceWarp Web Mail service.