CVE-2005-3691

Vulnerability

Directory traversal vulnerability in the IMAP service (meimaps.exe) of MailEnable Professional 1.6 and earlier and Enterprise 1.1 and earlier. The bug resides in the handling of the mailbox name argument for the create and rename commands, allowing an attacker to traverse directories by including path traversal sequences (e.g., ../) in the mailbox name [1].

Exploitation

An attacker can exploit this vulnerability by connecting to the IMAP service and issuing a create or rename command with a crafted mailbox name containing directory traversal sequences. No authentication is required other than being able to connect to the IMAP service (typically on port 143). The attacker can specify a path that escapes the intended mail directory and points to any location on the filesystem that the mail service process has write access to [1].

Impact

Successful exploitation allows a remote attacker to create or rename arbitrary directories on the server. This could lead to unauthorized file system manipulation, potentially affecting mail storage, configuration, or other services. The exact impact depends on the permissions of the mail service process; however, it does not directly provide code execution but can enable further attacks such as placing malicious files in sensitive locations [1].

Mitigation

MailEnable has released hot fixes to address this vulnerability. Users are advised to install the latest hot fixes from the MailEnable hot fix download page [1]. It is also recommended to upgrade to the most recent version of MailEnable, which includes all past hot fixes. If immediate patching is not possible, restricting access to the IMAP service via firewall rules or network segmentation may reduce exposure.