[原文]Directory traversal vulnerability in the IMAP service for SPA-PRO Mail @Solomon 4.00 allows remote authenticated users to read other users' mail and perform operations on arbitrary directories via .. sequences in the (1) SELECT, (2) CREATE, (3) DELETE, and (4) RENAME commands.
SPA-PRO Mail @Solomon IMAP Multiple Command Traversal
Remote / Network Access
Loss of Confidentiality
SPA-PRO MAIL @Solomon contains a flaw that allows a remote attacker to access or manipulate arbitrary content outside of their home directory. The issue is due to multiple commands not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the IMAP service.
Upgrade the SPA-IMAP4S component to version 4.05 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.