[原文]Multiple directory traversal vulnerabilities in (1) EPSTIMAP4S.EXE and (2) SPA-IMAP4S.EXE in the IMAP service in E-Post Mail 4.05 and SPA-PRO Mail 4.05 allow remote attackers to (a) list arbitrary directories or cause a denial of service via the LIST command; or create arbitrary files via the (b) APPEND, (c) COPY, or (d) RENAME commands.
E-Post Multiple Products IMAP LIST Command Traversal Arbitrary Directory Listing
Remote / Network Access
Loss of Confidentiality
E-Post contains a flaw that allows a remote attacker to list arbitrary directories on the server outside of the mail directory. The issue is due to the IMAP service not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the arguments to the LIST command.
Currently, there are no known workarounds or upgrades to correct this issue. However, E-POST Inc. has released a patch to address this vulnerability.