Fizzwizz Ensim email security Flaw

[Guest_imported]

I have discovered a huge security flaw in Ensim 3.0 and 3.1 server administration software.
It seems that users allocated email addresses can steal email from other users by adding an alias to a complete email address rather than the usual method of merely adding a username.
Here is a step by step method of how you can steal email from another user.

my victims email is fred@somedomain.com
somedomain.com is hosted on an ensim managed server

I do not have any passwords to fred's email account but I have an account of my own snooper@somedomain.com

I enter my user panel (somedomain.com/user) and goto the mail option (email manager)

In the email manager I select add alias from the alias page

In the field I enter fred@somedomain.com and press save

message is... adding alias succeeded

That's it .. all mail going to fred's mailbox now comes to mine (snooper@somedomain.com)

and just to clarify ... yes fred@somedomain.com already existed.

I have emailed Ensim and posted on their forum but have had no reply ...

Thanks ... Fizzwizz

Knowledge is power!!