Confirmed also with version 4.0 on Linux/Intel. It also works on HTTP, no need of HTTPS Albert Bendicho At 21:41 06/01/2003 +0100, G.P.de.Boer wrote: >Directory traversal bug in Communigate Pro 4.0b to 4.0.2 >-------------------------------------------------------- > > >Overview >-------- > >When experimenting a bit with Communigate Pro's webmail service I found >a directory traversal bug by which attackers can read any file readable >by the user Communigate runs as, defaultly root, not chrooted. I have >only tested this on the FreeBSD version. Builds for other platforms are >most probably vulnerable too. > > > >Exploitation >------------ > >Telnet to the port Communigate Pro's webmail service is listening on or >establish a SSL-session and issue a request like: (mind the "//") > >GET /DomainFiles/*//../../../../etc/passwd HTTP/1.0 > >Communigate will send the passwd file. Ofcourse the number of ".."'s >depends on your installation. > > >Fix >--- > >Upgrade to Communigate Pro 4.0.3, available on www.stalker.com. > > > >Other considerations >-------------------- > >You might want to run Communigate Pro as a non-root user, if you're not >doing so already. Read the following link for more information about >dropping root: >http://www.stalker.com/CommuniGatePro/SysAdmin.html#Root > > >Thanks >------ > >Thanks go out to Stalker Software for their quick and adequate response, >a reply within a few minutes and a fix within 24 hours, bravo!
This archive was generated by hypermail 2b30 : Mon Jan 20 2003 - 20:44:05 PST