× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. SECURITY400
  3. January 2003

FW: Directory traversal bug in Communigate Pro 4's Webmail service

FYI, incase this is also exploitable on the iSeries (nee AS/400)

Fix is to upgrade.

--phil

-----Original Message-----
Subject: Re: Directory traversal bug in Communigate Pro 4's Webmail
service


Confirmed also with version 4.0 on Linux/Intel.
It also works on HTTP, no need of HTTPS

         Albert Bendicho

At 21:41 06/01/2003 +0100, G.P.de.Boer wrote:
>Directory traversal bug in Communigate Pro 4.0b to 4.0.2
>--------------------------------------------------------
>
>
>Overview
>--------
>
>When experimenting a bit with Communigate Pro's webmail service I found
>a directory traversal bug by which attackers can read any file readable
>by the user Communigate runs as, defaultly root, not chrooted. I have
>only tested this on the FreeBSD version. Builds for other platforms are
>most probably vulnerable too.
>
>
>
>Exploitation
>------------
>
>Telnet to the port Communigate Pro's webmail service is listening on or
>establish a SSL-session and issue a request like: (mind the "//")
>
>GET /DomainFiles/*//../../../../etc/passwd HTTP/1.0
>
>Communigate will send the passwd file. Ofcourse the number of ".."'s
>depends on your installation.
>
>
>Fix
>---
>
>Upgrade to Communigate Pro 4.0.3, available on www.stalker.com.
>
>
>
>Other considerations
>--------------------
>
>You might want to run Communigate Pro as a non-root user, if you're not
>doing so already. Read the following link for more information about
>dropping root:
>http://www.stalker.com/CommuniGatePro/SysAdmin.html#Root
>
>
>Thanks
>------
>
>Thanks go out to Stalker Software for their quick and adequate response,
>a reply within a few minutes and a fix within 24 hours, bravo!

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.