[原文]The addnew script in Argosoft Mail Server Pro 18.104.22.168 allows remote attackers to create arbitrary accounts, even if "Allow Creation of Accounts From the Web Interface" is disabled, via a direct HTTP POST request.
ArGoSoft Mail Server addnew Script Arbitrary Account Creation
Remote / Network Access
Loss of Integrity
ArGoSoft Mail Server Pro contains a flaw that may allow a malicious user to create a new user account on the mail server. The issue is caused by improper validation of user-supplied input in the "addnew" script. It is possible that the flaw may allow a remote unauthenticated attacker to send a specially crafted POST query to the "addnew" script to create a new user account, even if the 'Allow Creation of Accounts From the Web Interface' option has been disabled, resulting in a loss of integrity.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.