[原文]AMAX Magic Winmail Server 3.6 allows remote attackers to obtain sensitive information by entering (1) invalid characters such as "()" or (2) a large number of characters in the Lookup field on the netaddressbook.php web form, which reveals the path in an ldaplib.php error message when the ldap_search function fails, due to improper processing of the $keyword variable.
Winmail Server ldaplib.php Error Message Path Disclosure
Remote / Network Access
Loss of Confidentiality
Magic Winmail Server contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered because the LDapLib.PHP file does not properly filter user input, which will disclose installation path information resulting in a loss of confidentiality.
Upgrade to version 3.8 (Build 0509) or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.