Secunia

Soroush Dalili has discovered some vulnerabilities in MailEnable Enterprise, which potentially can be exploited by malicious users to gain escalated privileges, and by malicious people and users to bypass certain security restrictions.

1) It is possible to gain access to certain functionalities in the web admin page by accessing "/meadmin/base/enterprise/lang/EN/main.asp" directly and setting the "POSTOFFICE" parameter to the name of the postoffice.

2) Input passed to the "LoginRights" parameter in "/MEWebMail/base/default/lang/EN/MailOptions.asp" isn't properly sanitised before being used. This can be exploited by a normal user to change his mailbox type to "SYSADMIN".

3) Access to the "/MEWebMail/base/default/lang/EN/Forms/MAI/Resolve.asp" script is not properly restricted. This can be exploited to create emails in any user's "draft" folder without requiring a valid logon, if the username is known.

4) Access to the "/MEWebMail/base/default/lang/EN/Forms/MAI/UploadAttachment.asp" script is not properly restricted. This can be exploited to upload a file into any user's "draft" folder without requiring a valid logon. The file will be saved as "myupload.ams".

5) Access to the "/MEWebMail/base/enterprise/lang/EN/Forms/vcf/uploadcontact.asp" script is not properly restricted. This can be exploited to upload a file into any user's "draft" folder without requiring a valid logon. The file will be saved as "_myupload.csv".

The vulnerabilities have been confirmed in Enterprise Edition version 2.09. Other versions may also be affected.

Solution
Update to version 1.25 or 2.09.3.
Further details available in Customer Area

Provided and/or discovered by
Soroush Dalili, GrayHatz Security Group.

Changelog
Further details available in Customer Area

Original Advisory
http://www.milw0rm.com/exploits/1893

Deep Links
Links available in Customer Area