VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 12, 2004· Updated Jun 16, 2026

CVE-2004-1671

CVE-2004-1671

Description

Merak Mail Server 7.4.5 with Icewarp Web Mail 5.2.7 and possibly other versions allows remote attackers to gain sensitive information via a direct request to (1) accountsettings_add.html or (2) topmenu.html.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

5
  • IceWarp/WebMail4 versions
    cpe:2.3:a:icewarp:web_mail:3.3.2:*:*:*:*:*:*:*+ 3 more
    • cpe:2.3:a:icewarp:web_mail:3.3.2:*:*:*:*:*:*:*
    • cpe:2.3:a:icewarp:web_mail:5.2.7:*:*:*:*:*:*:*
    • cpe:2.3:a:icewarp:web_mail:5.2.8:*:*:*:*:*:*:*
    • (no CPE)range: = 5.2.7
  • Merak/Mail Serverllm-fuzzy
    Range: = 7.4.5

Patches

Vulnerability mechanics

Root cause

"The server returns verbose error messages containing the full installation path when unauthenticated users request certain HTML pages directly."

Attack vector

An unauthenticated remote attacker sends a direct HTTP GET request to either `http://[target]:32000/mail/accountsettings_add.html` or `http://[target]:32000/mail/topmenu.html`. No active session is required [ref_id=1]. The server responds with an error message that includes the full install path, leaking sensitive information about the server's file system layout.

Affected code

The vulnerability affects `accountsettings_add.html` and `topmenu.html` in Icewarp Web Mail 5.2.7, part of Merak Mail Server 7.4.5. Direct requests to these pages without an active session cause the server to disclose the full installation path of Merak Mail Server.

What the fix does

The advisory does not include a patch diff. The vendor released Merak Mail Server 7.5.2 with Icewarp Web Mail 5.2.8, but the advisory notes that not all reported vulnerabilities were fixed in that version [ref_id=1]. The recommended workaround is to upgrade to the latest version or disable the Icewarp Web Mail service (Control.exe).

Preconditions

  • authNo authentication required; no active session needed
  • configIcewarp Web Mail (CONTROL service) must be running on the target (enabled by default)
  • networkAttacker must be able to send HTTP requests to the Merak Mail Server on port 32000

Generated on Jun 16, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.