‘Directory Traversal Bug in CommuniGate Pro 4’s Webmail Service (*)’


‘CommuniGate Pro’s webmail service contains a directory traversal bug by which attackers can read any file readable by the user CommuniGate runs by default as root (and it is not chrooted).’


‘The information has been provided by G.P.de.Boer.’


Vulnerable systems:
 * CommuniGate Pro versions 4.0b to 4.0.2

Immune systems:
 * CommuniGate Pro version 4.0.3

Telnet to the port CommuniGate Pro’s webmail service is listening on or establish a SSL-session and issue a request like: (mind the ‘//’)

GET /DomainFiles/*//../../../../etc/passwd HTTP/1.0

CommuniGate will send the passwd file. Of course the number of ‘..”s depends on your installation.

Upgrade to CommuniGate Pro 4.0.3, available on www.stalker.com.

Other considerations:
You might want to run CommuniGate Pro as a non-root user, if you’re not doing so already. Read the following link for more information about dropping root: http://www.stalker.com/CommuniGatePro/SysAdmin.html#Root

Categories: News