Bugtraq mailing list archives
Directory traversal bug in Communigate Pro 4's Webmail service
From: "G.P.de.Boer" <g.p.de.boer () st hanze nl>
Date: 06 Jan 2003 21:41:06 +0100
Directory traversal bug in Communigate Pro 4.0b to 4.0.2 -------------------------------------------------------- Overview -------- When experimenting a bit with Communigate Pro's webmail service I found a directory traversal bug by which attackers can read any file readable by the user Communigate runs as, defaultly root, not chrooted. I have only tested this on the FreeBSD version. Builds for other platforms are most probably vulnerable too. Exploitation ------------ Telnet to the port Communigate Pro's webmail service is listening on or establish a SSL-session and issue a request like: (mind the "//") GET /DomainFiles/*//../../../../etc/passwd HTTP/1.0 Communigate will send the passwd file. Ofcourse the number of ".."'s depends on your installation. Fix --- Upgrade to Communigate Pro 4.0.3, available on www.stalker.com. Other considerations -------------------- You might want to run Communigate Pro as a non-root user, if you're not doing so already. Read the following link for more information about dropping root: http://www.stalker.com/CommuniGatePro/SysAdmin.html#Root Thanks ------ Thanks go out to Stalker Software for their quick and adequate response, a reply within a few minutes and a fix within 24 hours, bravo!
Current thread:
- Directory traversal bug in Communigate Pro 4's Webmail service G.P.de.Boer (Jan 06)
- Re: Directory traversal bug in Communigate Pro 4's Webmail service Albert Bendicho (Jan 20)