CVE-2005-0313

Name of the Vulnerable Software and Affected Versions Magic Winmail Server version 4.0 Build 1112

Description The issue allows remote attackers to upload arbitrary files via certain parameters to "upload.php" or read arbitrary files via certain parameters to "download.php". Additionally, remote authenticated users can read, create, or delete arbitrary directories and files via the IMAP commands CREATE, EXAMINE, SELECT, or DELETE.

Recommendations For Magic Winmail Server version 4.0 Build 1112, consider restricting access to the "upload.php" and "download.php" scripts until a patch is available. As a temporary workaround, limit the use of IMAP commands CREATE, EXAMINE, SELECT, and DELETE to minimize the risk of exploitation.