Aconon Mail 2004 - Remote Directory Traversal Vulnerability

{"bulletinFamily": "exploit", "id": "EDB-ID:4977", "cvelist": ["CVE-2008-0464"], "modified": "2008-01-23T00:00:00", "lastseen": "2016-01-31T22:14:30", "edition": 1, "sourceData": "Application: aconon(R) Mail\n\nAffected versions: probably all known, tested against 2007 Enterprise\nSQL 11.7.0 and 2004 Enterprise SQL 11.5.1\n\nAffected plattforms: every, Aconon runs at (Win32, Linux, Solaris ...)\n\nExploitation: remote\n\nDescription: Aconon Mail is a commercial newsletter software, providing\na feature rich web interface for both, users and administrators. This\nincludes a public available archive of sent newsletters. Those archived\ne-mails may be accessed through the web browser, processed by a template\n engine. The used template may be overwritten by any user, modifying the\nHTTP-GET \"template\" form parameter. This parameter is checked against\ncode injection, not against directory traversal though.\n\nProof of Concept:\n\nhttp://www.aconon.de/mail-demo/archiv.cgi?list=&file=Newsletter-HtmlNachricht.save&template=data/password.pl&link=%3C%3C%3C%3C\nvhttp://www.aconon.de/mail-demo/archiv.cgi?list=&file=Newsletter-HtmlNachricht.save&template=../../../../../../etc/passwd&link=%3C%3C%3C%3C\n\nFix:\n\nNo fix has been published yet. However this workaround should patch the\nissue:\n\nAdd in archiv.cgi below\n $FORM{'template'} =~ s/\\|//g;\n\nthis code:\n\n use File::Basename;\n $FORM{'template'} = ($FORM{'template'}) ? basename($FORM{'template'})\n: \"\";\n if ($FORM{'template'} && $FORM{'template'} !~ /\\.html$/) {\n &error (\"$TXT{'1501'}\");\n }\n\nStatus: the vendor has been informed.\n\n\nGerman readers of the list may also read\nhttp://burnachurch.com/67/directory-traversal-luecke-in-aconon-mail/\n\nP.S. greets to missi - you're great :o)\n\n# milw0rm.com [2008-01-23]\n", "published": "2008-01-23T00:00:00", "href": "https://www.exploit-db.com/exploits/4977/", "osvdbidlist": ["40479"], "reporter": "Arno Toll", "hash": "cdd6a0b4edd0380e4751c6525edc083d1a8a50e87e9a2725aaca53dbf88c60dd", "title": "Aconon Mail 2004 - Remote Directory Traversal Vulnerability", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "Aconon Mail 2004 Remote Directory Traversal Vulnerability. CVE-2008-0464. Webapps exploit for cgi platform", "references": [], "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/4977/", "viewCount": 1, "enchantments": {"vulnersScore": 2.6}}

{"result": {"cve": [{"id": "CVE-2008-0464", "type": "cve", "title": "CVE-2008-0464", "description": "Directory traversal vulnerability in archiv.cgi in absofort aconon Mail 2007 Enterprise SQL 11.7.0 and Mail 2004 Enterprise SQL 11.5.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the template parameter.", "published": "2008-01-25T11:00:00", "cvss": {"score": 5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0464", "cvelist": ["CVE-2008-0464"], "lastseen": "2016-09-03T10:04:38"}]}}