[原文]Multiple directory traversal vulnerabilities in Argosoft Mail Server Pro 126.96.36.199 allow remote authenticated users to (1) read arbitrary files via the UIDL parameter to the msg script or (2) copy or move the user's .eml file to arbitrary locations via the delete script, a different vulnerability than CVE-2005-0367.
ArGoSoft Mail Server msg Script Traversal Arbitrary File Access
Remote / Network Access
Loss of Confidentiality
Argosoft Mail Server Pro contains a flaw that allows a remote attacker to view arbitrary files on mail server outside of the web path. The issue is due to the msg script not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the "UIDL" variable. An authenticated attacker can view messages of other users, configuration files or other text files on the mail server.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.