CVE-2006-0817

Name of the Vulnerable Software and Affected Versions MERAK Mail Server for Windows version 8.3.8r VisNetic MailServer versions prior to 8.5.0.5

Description The issue allows remote attackers to include arbitrary files via a full Windows path and drive letter in the language parameter in "accounts/inc/include.php" and lang settings parameter in "admin/inc/include.php". This is due to improper sanitization by the securepath function.

Recommendations For MERAK Mail Server for Windows version 8.3.8r, update to IceWarp Web Mail 5.6.1 or later. For VisNetic MailServer versions prior to 8.5.0.5, update to version 8.5.0.5 or later. As a temporary workaround, consider restricting access to the accounts/inc/include.php and admin/inc/include.php files to minimize the risk of exploitation. Avoid using the language and lang settings parameters in the affected API endpoints until the issue is resolved.