‘Directory Traversal Bug in CommuniGate Pro 4’s Webmail Service (*)’
‘CommuniGate Pro’s webmail service contains a directory traversal bug by which attackers can read any file readable by the user CommuniGate runs by default as root (and it is not chrooted).’
‘The information has been provided by G.P.de.Boer.’
* CommuniGate Pro versions 4.0b to 4.0.2
* CommuniGate Pro version 4.0.3
Telnet to the port CommuniGate Pro’s webmail service is listening on or establish a SSL-session and issue a request like: (mind the ‘//’)
GET /DomainFiles/*//../../../../etc/passwd HTTP/1.0
CommuniGate will send the passwd file. Of course the number of ‘..”s depends on your installation.
Upgrade to CommuniGate Pro 4.0.3, available on www.stalker.com.
You might want to run CommuniGate Pro as a non-root user, if you’re not doing so already. Read the following link for more information about dropping root: http://www.stalker.com/CommuniGatePro/SysAdmin.html#Root‘