Bekijk Volledige Versie : Directory traversal bug in Communigate Pro 4's Webmail service

07/01/03, 05:06
Directory traversal bug in Communigate Pro 4.0b to 4.0.2


When experimenting a bit with Communigate Pro's webmail service I found
a directory traversal bug by which attackers can read any file readable
by the user Communigate runs as, defaultly root, not chrooted. I have
only tested this on the FreeBSD version. Builds for other platforms are
most probably vulnerable too.


Telnet to the port Communigate Pro's webmail service is listening on or
establish a SSL-session and issue a request like: (mind the "//")

GET /DomainFiles/*//../../../../etc/passwd HTTP/1.0

Communigate will send the passwd file. Ofcourse the number of ".."'s
depends on your installation.


Upgrade to Communigate Pro 4.0.3, available on www.stalker.com.

Other considerations

You might want to run Communigate Pro as a non-root user, if you're not
doing so already. Read the following link for more information about
dropping root:


Thanks go out to Stalker Software for their quick and adequate response,
a reply within a few minutes and a fix within 24 hours, bravo!