Type packetstorm
Reporter Simon
Modified 2000-01-04T00:00:00


( / Six Toed  
) / Security Advisory  
Date: 2000, 03/01  
Affected Software: iMail Server 5.0  
Platform: Windows NT 4.0 SP 6a  
A malicous user can read and send emails as any other user on  
the system.  
The issue lies in how iMail handles the creating of new email  
accounts, and how it stores them.  
When iMail is default installed all new email accounts are  
stored in the same directory. So, the directory that held the  
account for would be stored in the same  
directory as  
Now if has mail administration turned on,  
user could create a new account under his domain  
for admin, and since it iMail would store it in the same  
directory as the as the account, they would  
then become  
one in the same. Thus allowing to read ALL  
incoming emails to and all other 'admin' users  
the system by sharing the same 'admin' folder. As you can  
imagine, this could pose a serious risk to security.  
When creating a new email account for a domain in iMail  
Administrator, choose a custom path to save all accounts to.  
As long as an administrator is keeping his eye on the ball this  
little problem can be avoided.  
I have not tested this problem on any earlier version of  
iMail... Other versions are probably affected too. If you find  
out they  
are please email me.  
Lupus Gentry, Af8e 4f5, Logical Gambit, RandomS, knarph,  
nulltone, Strick,  
Ross, Everyone @, and the girl who crushed Lupus's heat  
today, this  
means you Anna.  
Advisory By Simon(Says)  
Six Toed 2000, 01/03  
VM. 1-877-815-7880 x916  
Get your own "800" number - Free  
Free voicemail, fax, email, and a lot more