The host is running IceWarp Mail Server and is prone to xml entity injection and information disclosure vulnerability. Vulnerability: The flaws are due to - Certain input passed via SOAP messages to 'server/webmail.php' is not properly verified before being used. This can be exploited to disclose the contents of arbitrary files. - An unspecified script, which calls the 'phpinfo()' function, is stored with insecure permissions inside the web root. This can be exploited to gain knowledge of sensitive information.

Successful exploitation will allow attacker to gain access to potentially sensitive information, and possibly cause denial-of-service conditions. other attacks may also be possible. Impact Level: Application

Upgrade to IceWarp Mail Server 10.3.3 or later, For updates refer to http://www.icewarp.com

IceWarp Mail Server 10.3.2 and prior.

• http://packetstormsecurity.org/files/view/105320/TWSL2011-013.txt
• http://secunia.com/advisories/46135/
• http://xforce.iss.net/xforce/xfdb/70025
• http://xforce.iss.net/xforce/xfdb/70026

---

Updated on 2015-03-25