Aconon Mail 2004 - Remote Directory Traversal Vulnerability

ID EDB-ID:4977
Type exploitdb
Reporter Arno Toll
Modified 2008-01-23T00:00:00


Aconon Mail 2004 Remote Directory Traversal Vulnerability. CVE-2008-0464. Webapps exploit for cgi platform

                                            Application: aconon(R) Mail

Affected versions: probably all known, tested against 2007 Enterprise
SQL 11.7.0 and 2004 Enterprise SQL 11.5.1

Affected plattforms: every, Aconon runs at (Win32, Linux, Solaris ...)

Exploitation: remote

Description: Aconon Mail is a commercial newsletter software, providing
a feature rich web interface for both, users and administrators. This
includes a public available archive of sent newsletters. Those archived
e-mails may be accessed through the web browser, processed by a template
 engine. The used template may be overwritten by any user, modifying the
HTTP-GET "template" form parameter. This parameter is checked against
code injection, not against directory traversal though.

Proof of Concept:


No fix has been published yet. However this workaround should patch the

Add in archiv.cgi below
  $FORM{'template'} =~ s/\|//g;

this code:

  use File::Basename;
  $FORM{'template'} = ($FORM{'template'}) ? basename($FORM{'template'})
: "";
  if ($FORM{'template'} && $FORM{'template'} !~ /\.html$/) {
        &error ("$TXT{'1501'}");

Status: the vendor has been informed.

German readers of the list may also read

P.S. greets to missi - you're great :o)

# [2008-01-23]