[NT] Alt-N WebAdmin Directory Traversal (logfile/configfile_view.wdm)
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 24 Aug 2006 10:36:08 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Alt-N WebAdmin Directory Traversal (logfile/configfile_view.wdm)
------------------------------------------------------------------------
SUMMARY
<http://www.altn.com/products/default.asp?product_id=WebAdmin> WebAdmin
is a remote administration utility which allows administrators to manage
Alt-N's MDaemon, RelayFax and WorldClient products.
Directory traversal in a couple of WebAdmin's scripts allows any user with
access to the WebAdmin administrative interface to access any file on the
vulnerable host.
DETAILS
Vulnerable Systems:
* Alt-N WebAdmin v3.2.3/3.2.4 running with MDaemon v9.0.5, earlier
versions are suspected vulnerable as well
The WebAdmin product page touts it's configurable access rights feature.
However, tested versions have been found vulnerable to a privilege
elevation vulnerability which could lead to compromise of the mail server
and which, in combination with insufficient input sanitation in some of
it's modules, could allow malicious users access to sensitive files on the
server. This includes the system's weakly encoded password file.
Due to input to the administrative interface's logfile_view.wdm and
configfile_view.wdm files not being properly sanitized, authenticated
global administrators are allowed access to the underlying filesystem like
so:
http://mdaemon:1000/configfile_view.wdm?file=../../autoexec.bat
http://mdaemon:1000/logfile_view.wdm?type=webadmin&file=../../App/userlist.dat
Note that this is not a service offered by the administrative interface
itself.
Also of note is that the second example retrieves the server's password
file which, as noted earlier by Obscure(1), is easily decodable.
Mitigating this problem is the fact that the user has to be a global
administrator to be allowed access to logfile_view.vdm and
configfile_view.vdm.
It has also been found however that while the web interface appears to
distinguish between user levels (namely global administrator and domain
administrator) and indeed touts this ability on it's product page, all
authenticated administrators within the same domain regardless of level
are allowed to modify all user accounts and passwords through
userlist.wdm, including the details and passwords of global administrator
accounts.
The impact of these vulnerabilities in a small environment using only
trusted administrators is low if the default HTTP solution is not used. In
larger environments were one to trust on WebAdmin's user restrictions the
impact of mentioned problems is larger, as they effectively allow third
parties unauthorized access to the full mail server configuration and the
file system below.
Workaround:
It is suggested that administrators do not access the administrative
interface over it's own server and as such the inherently insecure HTTP
protocol, but install it on another, SSL capable server.
Also, it would be wise to not allow regular users access to their domain
configurations through the administrative interface, no matter the server.
Vendor Status:
Vendor was notified and response was swift. First contact was established
on August 14 and WebAdmin 3.25 which fixes these issues(2) was made
available
on August 18.
References:
(1) Multiple Vulnerabilities in MDaemon + WorldClient by Obscure of Eye
on Security:
<http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0057.html>
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0057.html
(2) WebAdmin Server v3.25 Release Notes:
<http://files.altn.com/WebAdmin/Release/RelNotes_en.txt>
http://files.altn.com/WebAdmin/Release/RelNotes_en.txt
ADDITIONAL INFORMATION
The information has been provided by <mailto:releases@xxxxxxxxxx> TTG.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [EXPL] Mozilla Firefox FTP Request Remote DoS (Exploit)
- Next by Date: [NEWS] Mozilla Firefox Crash
- Previous by thread: [EXPL] Mozilla Firefox FTP Request Remote DoS (Exploit)
- Next by thread: [NEWS] Mozilla Firefox Crash
- Index(es):
Relevant Pages
|
|
