Info

Disclosure

Jan 27, 2005

Discovery

Jan 15, 2005

Dates

Exploit

Unknown

Solution

Unknown

Description

Winmail Server contains a flaw that allows a remote attacker to access and/or manipulate arbitrary files. The issue is due to multiple IMAP commands not properly sanitizing user input, specifically traversal style attacks (../../) resulting in a loss of confidentiality and/or integrity.

Classification

Location: Remote/Network Access Required
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Unknown
Disclosure: OSVDB Verified

Solution

Upgrade to version 4.0 (Build 1318) or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

AMAX Information Technologies Inc.

Winmail Server

4.0 (Build 1112)

References

Security Tracker: 1013017
Bugtraq ID: 12388
Related OSVDB ID: 13244 13245 13246 13248
Secunia Advisory ID: 14053
CVE ID: 2005-0313 (see also: NVD)
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-01/0306.html
Other Advisory URL: http://www.security.org.sg/vuln/magicwinmail40.html

Credit

Tan Chew Keong - vulnsecunia.com - Secunia Research

Direct URL: http://osvdb.org/36218