TUCoPS :: Web :: Specific Sites :: web5918.htm

Directory traversal bug in Communigate Pro 4's Webmail service
7th Jan 2003 [SBWID-5918]
COMMAND

	Directory traversal bug in Communigate Pro 4's Webmail service

SYSTEMS AFFECTED

	Communigate Pro 4.0b to 4.0.2

PROBLEM

	G.P.de.Boer [g.p.de.boer@st.hanze.nl] found :
	
	When experimenting a bit with Communigate Pro's webmail service I  found
	a directory traversal bug by which attackers can read any file  readable
	by the user Communigate runs as, defaultly root, not  chrooted.  I  have
	only tested this on the FreeBSD version. Builds for other platforms  are
	most probably vulnerable too.
	
	 Exploitation
	 ------------
	
	Telnet to the port Communigate Pro's webmail service is listening on  or
	establish a SSL-session and issue a request like: (mind the "//")
	
	GET /DomainFiles/*//../../../../etc/passwd HTTP/1.0
	
	Communigate will send the passwd file. Ofcourse  the  number  of  ".."'s
	depends on your installation.

SOLUTION

	Upgrade to Communigate Pro 4.0.3, available on www.stalker.com.
	
	 Other considerations
	 --------------------
	
	You might want to run Communigate Pro as a non-root user, if you're  not
	doing so already. Read the following link  for  more  information  about
	dropping root:
	
	http://www.stalker.com/CommuniGatePro/SysAdmin.html#Root

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH