[原文]Merak Mail Server 8.0.3 with Icewarp Web Mail 5.4.2 allows remote authenticated users to (1) move their home directory via viewaction.html or (2) move arbitrary files via the importfile parameter to importaction.html.
IceWarp Web Mail contains a flaw that may allow a remote attacker to manipulate arbitrary files on the web server. The issue is due to the importaction.html script not properly sanitizing input passed to the "importfile" parameter. This may allow an attacker to supply any path within the web root and create or view an arbitrary file.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.