AOH :: Web :: Specific Sites

AOH :: Web :: Specific Sites :: WEB5918.HTM
Directory traversal bug in Communigate Pro 4's Webmail service

7th Jan 2003 [SBWID-5918]

COMMAND

	Directory traversal bug in Communigate Pro 4's Webmail service

SYSTEMS AFFECTED

	Communigate Pro 4.0b to 4.0.2

PROBLEM

	G.P.de.Boer [g.p.de.boer@st.hanze.nl] found :
	
	When experimenting a bit with Communigate Pro's webmail service I  found
	a directory traversal bug by which attackers can read any file  readable
	by the user Communigate runs as, defaultly root, not  chrooted.  I  have
	only tested this on the FreeBSD version. Builds for other platforms  are
	most probably vulnerable too.
	
	 Exploitation
	 ------------
	
	Telnet to the port Communigate Pro's webmail service is listening on  or
	establish a SSL-session and issue a request like: (mind the "//")
	
	GET /DomainFiles/*//../../../../etc/passwd HTTP/1.0
	
	Communigate will send the passwd file. Ofcourse  the  number  of  ".."'s
	depends on your installation.

SOLUTION

	Upgrade to Communigate Pro 4.0.3, available on www.stalker.com.
	
	 Other considerations
	 --------------------
	
	You might want to run Communigate Pro as a non-root user, if you're  not
	doing so already. Read the following link  for  more  information  about
	dropping root:
	
	http://www.stalker.com/CommuniGatePro/SysAdmin.html#Root

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better). Site design & layout copyright © 1986-2009 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.