Axigen Webmail Directory Traversal Vulnerability

Credit: Bogdan Calin
Risk: Medium
Local: No
Remote: Yes

CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

We are continuing with the list of security vulnerabilities found in a number of web applications while testing our latest version of Acunetix WVS v7 . In this blog post, we will look into the details of a very serious web vulnerability discovered by Acunetix WVS in Axigen. "Axigen is an integrated email, calendaring & collaboration platform, masterfully built on our unique Linux mail server technology, for increased speed & security." Axigen Webmail version 7.4.1 is vulnerable to a directory traversal vulnerability. Only Axigen installations running on Windows platforms are affected. By URL encoding the "\" character to %5C it's possible to bypass the directory traversal protection available in this application. By requesting the following URL (/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows/win.ini) it's possible to read the contents of file c:\windows\win.ini. Using this encoding trick you can traverse directories and see the contents of any file that is readable by the web server use Here is a sample HTTP request: GET HTTP/1.1 Cookie: webmailSession=0; cookieTest=cookiesEnabled; checkOverQuota=0; passwordExpireWarning=0 Host: Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0) While investigating this alert, I've discovered that this vulnerability is more serious than I initially expected. This is a very serious vulnerability because using information from the log files it's possible to gather enough information to read the file containing all the emails from all the domains hosted on the server. For, example, using an HTTP request like: GET /..%5c..%5c/log/everything.txt HTTP/1.0 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: Connection: Close Pragma: no-cache you can access the log file. From here you get determine the domain name and using this information you can read the file containing all the emails from this domain: GET /..%5c..%5c/domains/localdomain/00.hsf HTTP/1.0 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: Connection: Close Pragma: no-cache This vulnerability was reported to the Axigen team on 22/7/2010 via the support system on their website and they were fixed in Axigen version 7.4.2. If you are using Axigen, download the latest version from their website. -- Bogdan Calin - bogdan [at] CTO Acunetix Ltd. - Acunetix Web Security Blog - Follow us on Twitter - _______________________________________________ Full-Disclosure - We believe in it. Charter: Hosted and sponsored by Secunia -


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019,


Back to Top