G.P.de.Boer
07/01/03, 05:06
Directory traversal bug in Communigate Pro 4.0b to 4.0.2
--------------------------------------------------------
Overview
--------
When experimenting a bit with Communigate Pro's webmail service I found
a directory traversal bug by which attackers can read any file readable
by the user Communigate runs as, defaultly root, not chrooted. I have
only tested this on the FreeBSD version. Builds for other platforms are
most probably vulnerable too.
Exploitation
------------
Telnet to the port Communigate Pro's webmail service is listening on or
establish a SSL-session and issue a request like: (mind the "//")
GET /DomainFiles/*//../../../../etc/passwd HTTP/1.0
Communigate will send the passwd file. Ofcourse the number of ".."'s
depends on your installation.
Fix
---
Upgrade to Communigate Pro 4.0.3, available on www.stalker.com.
Other considerations
--------------------
You might want to run Communigate Pro as a non-root user, if you're not
doing so already. Read the following link for more information about
dropping root:
http://www.stalker.com/CommuniGatePro/SysAdmin.html#Root
Thanks
------
Thanks go out to Stalker Software for their quick and adequate response,
a reply within a few minutes and a fix within 24 hours, bravo!
--------------------------------------------------------
Overview
--------
When experimenting a bit with Communigate Pro's webmail service I found
a directory traversal bug by which attackers can read any file readable
by the user Communigate runs as, defaultly root, not chrooted. I have
only tested this on the FreeBSD version. Builds for other platforms are
most probably vulnerable too.
Exploitation
------------
Telnet to the port Communigate Pro's webmail service is listening on or
establish a SSL-session and issue a request like: (mind the "//")
GET /DomainFiles/*//../../../../etc/passwd HTTP/1.0
Communigate will send the passwd file. Ofcourse the number of ".."'s
depends on your installation.
Fix
---
Upgrade to Communigate Pro 4.0.3, available on www.stalker.com.
Other considerations
--------------------
You might want to run Communigate Pro as a non-root user, if you're not
doing so already. Read the following link for more information about
dropping root:
http://www.stalker.com/CommuniGatePro/SysAdmin.html#Root
Thanks
------
Thanks go out to Stalker Software for their quick and adequate response,
a reply within a few minutes and a fix within 24 hours, bravo!