[原文]The (1) address.html and possibly (2) calendar.html pages in Merak Mail Server 5.2.7 allow remote attackers to gain sensitive information via an invalid HTTP request, which reveals the installation path. NOTE: it is unclear whether the calendar.html is an exposure, since the path is leaked in web logs that may only be available to the administrators, who would have access to the path through legitimate means.
The webmail package embedded in Merak Mail Server is reported prone to multiple vulnerabilities.
The vulnerabilities reported are:
- Multiple cross-site scripting vulnerabilities
- An HTML injection vulnerability
- A PHP source code disclosure vulnerability
- An SQL injection vulnerability
These vulnerabilities are reported to exist in versions prior to 7.5.2.
Merak Mail Server contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the calendar.html script is called with invalid arguments, which will disclose the installation path resulting in a loss of confidentiality.
Upgrade to version 7.5.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.