Bugtraq mailing list archives
Infosec.20000712.worldclient.2.1
From: rikard.carlsson () INFOSEC SE (Rikard Carlsson)
Date: Wed, 12 Jul 2000 11:16:57 +0100
Infosec Security Vulnerability Report No: Infosec.20000712.worldclient.2.1 =============================== Vulnerability Summary --------------------- Problem: The web server for remote access to e-mail in WorldClient 2.1 is vulnerable for root dot dot. It is possible to read and in some cases download any file known by name and location on a Windows NT 4.0. Threat: An attacker can download a copy of the sam._ file, the repair SAM database. Platform: WorldClient 2.1 on Windows NT 4.0, Solution: Currently there is no patch that corrects this problem. Mr John Grish, Technical Support Supervisor at Deerfield.com told me that their development team is testing and working on this problem in this moment. Vulnerability Description ------------------------- The web server WDaemon/2.1, which is a part of the web-based Email solution World Client 2.1 is vulnerable for root dot dot in some cases. When requesting the URL http://email.victim.com/..\..\..\winnt\repair\sam._ from Linux 2.X and Netscape 4.08 the sam._ is downloaded. It seems like this vulnerability is not present when requesting the same URL from Windows NT 4.0 with Internet Explorer 4.0 and Netscape Communicator 6.0. When using these newer browsers the backslash is automatically exchanged for a forward slash and I get a message that I am requesting a forbidden page. Additional Information ---------------------- Deerfield Technical Support was notified about this vulnerability approximately two week ago. For more information about Deerfield and WorldClient, see http://worldclient.deerfield.com Reported by: Rikard Carlsson, rikard.carlsson () infosec se . ------------------------------- Infosec is a Swedish based tiger team that has been working with information security since 1982. Infosec has been doing network penetration tests and technical audits of computer systems since 1996. Infosec is now hiring in Sweden and the United Kingdom. Please contact Christer Stafferöd for more information. Phone: +46-8-6621070 E-mail: stafferod () infosec se __________________________________________________ Backupcentralen byter namn till Guardian iT Sweden Vi byter också domän till guardianit.se Mail = xx () guardianit se WWW = www.guardianit.com Backupcentralen will change name to Guardian iT Sweden Domain will be guardianit.se Mail = xx () guardianit se WWW = www.guardianit.com __________________________________________________
Current thread:
- Re: ftpd: the advisory version, (continued)
- Re: ftpd: the advisory version Carson Gaspar (Jun 30)
- Re: ftpd: the advisory version Mike Gleason (Jul 02)
- [RHSA-2000:016-03] Multiple local imwheel vulnerabilities bugzilla () REDHAT COM (Jul 03)
- Re: ftpd: the advisory version monti (Jul 05)
- Re: ftpd: the advisory version D. J. Bernstein (Jul 06)
- Re: ftpd: the advisory version monti (Jul 07)
- Re: ftpd: the advisory version Mikael Olsson (Jul 07)
- Re: ftpd: the advisory version David Maxwell (Jul 07)
- Re: ftpd: the advisory version D. J. Bernstein (Jul 10)
- Re: ftpd: the advisory version Richard Rager (Jul 11)
- Infosec.20000712.worldclient.2.1 Rikard Carlsson (Jul 12)
- ANNOUNCE Apache::ASP v1.95 - Security Hole Fixed J C (Jul 10)
- Re: ftpd: the advisory version Carson Gaspar (Jun 30)
- Novell Border Manger - Anyone can pose as an authenticated user Coward, Anonymous (Jul 07)