‘Directory Traversal Bug in CommuniGate Pro 4’s Webmail Service (*)’

Summary

‘CommuniGate Pro’s webmail service contains a directory traversal bug by which attackers can read any file readable by the user CommuniGate runs by default as root (and it is not chrooted).’

Credit:

‘The information has been provided by G.P.de.Boer.’


Details

Vulnerable systems:
 * CommuniGate Pro versions 4.0b to 4.0.2

Immune systems:
 * CommuniGate Pro version 4.0.3

Exploit:
Telnet to the port CommuniGate Pro’s webmail service is listening on or establish a SSL-session and issue a request like: (mind the ‘//’)

GET /DomainFiles/*//../../../../etc/passwd HTTP/1.0

CommuniGate will send the passwd file. Of course the number of ‘..”s depends on your installation.

Fix:
Upgrade to CommuniGate Pro 4.0.3, available on www.stalker.com.

Other considerations:
You might want to run CommuniGate Pro as a non-root user, if you’re not doing so already. Read the following link for more information about dropping root: http://www.stalker.com/CommuniGatePro/SysAdmin.html#Root

Categories: News