TUCoPS :: Web :: Specific Sites :: web5918.htm

Directory traversal bug in Communigate Pro 4's Webmail service
7th Jan 2003 [SBWID-5918]

	Directory traversal bug in Communigate Pro 4's Webmail service


	Communigate Pro 4.0b to 4.0.2


	G.P.de.Boer [g.p.de.boer@st.hanze.nl] found :
	When experimenting a bit with Communigate Pro's webmail service I  found
	a directory traversal bug by which attackers can read any file  readable
	by the user Communigate runs as, defaultly root, not  chrooted.  I  have
	only tested this on the FreeBSD version. Builds for other platforms  are
	most probably vulnerable too.
	Telnet to the port Communigate Pro's webmail service is listening on  or
	establish a SSL-session and issue a request like: (mind the "//")
	GET /DomainFiles/*//../../../../etc/passwd HTTP/1.0
	Communigate will send the passwd file. Ofcourse  the  number  of  ".."'s
	depends on your installation.


	Upgrade to Communigate Pro 4.0.3, available on www.stalker.com.
	 Other considerations
	You might want to run Communigate Pro as a non-root user, if you're  not
	doing so already. Read the following link  for  more  information  about
	dropping root:

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH