COMMAND

	kebi-Webmail reveals mailbox data

SYSTEMS AFFECTED

	All kebi Webmail solution loading server
	 (kebi enterprise version(KEV) )

	 (kebi Academy verseion (KAV)  )

	

PROBLEM

	secret [http://www.wowhacker.org] posted :
	

	When establish kebi webmail server\'s basis, there is  hidden  directory
	that connect to administrator menu. Here is place that it is  not  known
	on  outside.  There  is  no  competence   certification   here   to   be
	http://target/a/ here justly! Because  most  systems  that  a  wisdom  a
	administrator a person who quote web here is but  uses  Kebimail  server
	are exposed  without  certification,  the  mailserver  user\'s  personal
	information & E-Mail\'s contents inspection  is  available  all  and
	access is possible to user\'s  homepage  contents  if  use  to  homepage
	spaceassignment function. Almost all administrator functions  by  simple
	exploit to get available but, perfect administrator  competence  to  the
	Webmail Server user account  make  and  can  get  perfect  administrator
	competence  if  put   exploit   to   (free   e-mail   accountapplication
	possibility) web browser.
	 

	exploits : http://mail.sample_target.com/a/

	

	If server who is using kebi webmail solution is  mail.sample_target.com:
	Attack is http://  mail.sample_target.com/a/input  in  web  browser  url
	form
	

	

	

SOLUTION

	Prevent that rob webmail server administrator  competence  to  gouge  by
	externalattacker  using   web   certification   (.htaccess,etc....)   to
	http://webmail_server_URL/a/