[NEWS] Directory Traversal Bug in CommuniGate Pro 4's Webmail Service (*)

From: support@securiteam.com
Date: 01/08/03

  • Next message: support@securiteam.com: "[EXPL] Tanne Format String Exploit Code" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 8 Jan 2003 11:16:47 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Directory Traversal Bug in CommuniGate Pro 4's Webmail Service (*)
    ------------------------------------------------------------------------

    SUMMARY

    CommuniGate Pro's webmail service contains a directory traversal bug by
    which attackers can read any file readable by the user CommuniGate runs by
    default as root (and it is not chrooted).

    DETAILS

    Vulnerable systems:
     * CommuniGate Pro versions 4.0b to 4.0.2

    Immune systems:
     * CommuniGate Pro version 4.0.3

    Exploit:
    Telnet to the port CommuniGate Pro's webmail service is listening on or
    establish a SSL-session and issue a request like: (mind the "//")

    GET /DomainFiles/*//../../../../etc/passwd HTTP/1.0

    CommuniGate will send the passwd file. Of course the number of ".."'s
    depends on your installation.

    Fix:
    Upgrade to CommuniGate Pro 4.0.3, available on www.stalker.com.

    Other considerations:
    You might want to run CommuniGate Pro as a non-root user, if you're not
    doing so already. Read the following link for more information about
    dropping root: <http://www.stalker.com/CommuniGatePro/SysAdmin.html#Root>
    http://www.stalker.com/CommuniGatePro/SysAdmin.html#Root

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:g.p.de.boer@st.hanze.nl>
    G.P.de.Boer.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.