Missing field validation in MailEnable Webadmin user create

Raise/discuss any potential issues with MailEnable for consideration in project issue register.
Post Reply
christer.axenta
Posts: 1
Joined: Wed Sep 19, 2012 9:44 am

Missing field validation in MailEnable Webadmin user create

Post by christer.axenta » Wed Sep 19, 2012 10:10 am

Hi there!

So then, the field where you input the username for a new mailbox in the webadmin panel is missing a validator. The field automaticly applies @domain.no for the current userbox.

This in itself isn't a big problem, the problem comes when you try to delete the new user.

Let's assume we're creating an admin@domain.no, forgetting that admin@domain.no already exists. We input admin@domain.no into the username field and end up with admin@domain.no@domain.no, we have dubbed this effect Domainception.

The biggest problem is when you delete this erroneous user, doing so will not only remove the new user and it's mailbox but also the original user's mailbox.

A quite deadly mix of missing input field validation and user input error, resulting in a severe loss of data.
One of our users managed to do this with their main used account and we had to spend some time restoring backups and researching this case.
A picture showing an example his below.

Image

Hopefully this will assist you in patching up this fallpit as this could be used by a malignant attacker to remove all inboxes of admin users should they
have gained access to the admin panel.

Apologies in advance if this has been posted before, I was unable to locate a similar problem using the search function.

Kind regards
Christer Helland,
IT Consultant
Axenta AS

Post Reply