1 Reply Latest reply on May 24, 2010 4:38 PM by ajclements

    Web Administration Broken Access Control in IronMail

    DBO

      Just received this warning from the Secunia mailing-list

      DESCRIPTION:
      Nahuel Grisolía has reported a vulnerability in McAfee Email Gateway, which can be exploited by malicious users to bypass certain security restrictions.

      The vulnerability is caused due to the Web Access interface performing insufficient checks for requests received from unprivileged users. This can be exploited by a user without write privileges to make configuration changes and e.g. add an administrative user.

      The vulnerability is reported in version 6.7.1. Other versions may also be affected.

      SOLUTION:
      Restrict access to the Web Access console to trusted users only.


      http://www.cybsec.com/vuln/cybsec_advisory_2010_0501_Ironmail_Advisory_Web_Acces s_Broken.pdf