OSVDB ID: 16805

Title: Ipswitch IMail Web Calendaring Server GET Request Traversal Arbitrary File Access

Info

Disclosure

May 24, 2005

Discovery

Apr 25, 2005

Dates

Exploit

May 24, 2005

Solution

Unknown

Description

The Web Calendaring component in IMail Server contains a flaw that allows a remote attacker to access arbitrary files. The issue occurs when requesting nonexistent JavaScript (*.jsp) files followed by traversal style attacks (../../) resulting in a loss of confidentiality.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Confidentiality
Exploit: Exploit Public, Exploit Commercial
OSVDB: Web Related

Solution

Upgrade to version 8.2 Hotfix 2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Ipswitch, Inc.

IMail Server

8.13

References

Credit

  • iDefense - iDefense


Direct URL: http://osvdb.org/16805