Mailtraq Arbitrary File/Directory Access

2003-06-09T13:49:07
ID OSVDB:2155
Type osvdb
Reporter Noam Rathaus(expert@securiteam.com)
Modified 2003-06-09T13:49:07

Description

Vulnerability Description

Mailtraq contains a flaw that allows a remote attacker to access arbitrary files and directories outside of the web path. The issue is due to the server not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the URI.

Solution Description

Upgrade to version 2.3.2.1419 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Mailtraq contains a flaw that allows a remote attacker to access arbitrary files and directories outside of the web path. The issue is due to the server not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the URI.

Manual Testing Notes

http://127.0.0.1/win2k/ http://127.0.0.1/Program%20Files/

References:

Vendor URL: http://www.mailtraq.com/ Related OSVDB ID: 4089 Related OSVDB ID: 4092 Related OSVDB ID: 4090 Related OSVDB ID: 4091 Other Advisory URL: http://www.securiteam.com/windowsntfocus/5HP0G1FAAC.html Mail List Post: http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0106.html Keyword: Directory Traversal ISS X-Force ID: 12308 Bugtraq ID: 7921