iDEFENSE Security Advisory 2005-05-24.4

`Ipswitch IMail Web Calendaring Arbitrary File Read Vulnerability  
  
iDEFENSE Security Advisory 05.24.05  
www.idefense.com/application/poi/display?id=242&type=vulnerabilities  
May 24, 2005  
  
I. BACKGROUND  
  
Ipswitch Collaboration Suite (ICS) is a comprehensive communication and   
collaboration solution for Microsoft Windows with a customer base of   
over 53 million users. More information is available on the vendor's   
website:  
  
http://www.ipswitch.com/products/IMail_Server/index.html  
  
II. DESCRIPTION  
  
Remote exploitation of a directory traversal vulnerability in Ipswitch   
Inc.'s Imail Web Calendaring server allows attackers to read arbitrary   
files with System privileges.   
  
The problem specifically exists because of a flaw in the handling of   
requests for nonexistent javascript (jsp) files. By requesting a   
nonexistent jsp file followed by a question mark, several sequences of   
"..\" and then the path to a file on the system, an attacker can read   
arbitrary files remotely without any authentication.   
  
The following query demonstrates how the system's boot.ini file may be   
retrieved:   
  
GET /bla.jsp?\..\..\..\..\..\..\..\..\..\..\boot.ini HTTP/1.0  
Connection: Close  
Host: example.com  
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)  
Pragma: no-cache   
  
III. ANALYSIS  
  
Successful exploitation allows remote attackers to retrieve arbitrary   
files from the target host. Exploitation does not require authentication  
  
and does not require exploit code, as a user can simply type the   
malicious query in a web browser.  
  
IV. DETECTION  
  
iDEFENSE has confirmed the existence of this vulnerability in the latest  
  
version of Ipswitch IMAIL, version 8.13. It is suspected that earlier   
versions are also vulnerable.  
  
V. WORKAROUND  
  
Limit access to the Web Calandaring server by allowing only trusted   
hosts to access TCP port 8484, the default port for Web Calandaring. If   
the Web Calandaring service is not required, disable it entirely.  
  
VI. VENDOR RESPONSE  
  
The vendor has released the following patch to fix this vulnerability:  
  
ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/imail82hf2.exe  
  
The associated vendor advisory can be found at:  
  
http://www.ipswitch.com/support/imail/releases/imail_professional/im82hf  
2.html  
  
VII. CVE INFORMATION  
  
The Common Vulnerabilities and Exposures (CVE) project has assigned the  
name CAN-2005-1252 to this issue. This is a candidate for inclusion in  
the CVE list (http://cve.mitre.org), which standardizes names for  
security problems.  
  
VIII. DISCLOSURE TIMELINE  
  
04/25/2005 Initial vendor notification  
05/10/2005 Initial vendor response  
05/24/2005 Public disclosure  
  
IX. CREDIT  
  
The discoverer of this vulnerability wishes to remain anonymous.  
  
Get paid for vulnerability research  
http://www.idefense.com/poi/teams/vcp.jsp  
  
Free tools, research and upcoming events  
http://labs.idefense.com  
  
X. LEGAL NOTICES  
  
Copyright (c) 2005 iDEFENSE, Inc.  
  
Permission is granted for the redistribution of this alert  
electronically. It may not be edited in any way without the express  
written consent of iDEFENSE. If you wish to reprint the whole or any  
part of this alert in any other medium other than electronically, please  
email [email protected] for permission.  
  
Disclaimer: The information in the advisory is believed to be accurate  
at the time of publishing based on currently available information. Use  
of the information constitutes acceptance for use in an AS IS condition.  
There are no warranties with regard to this information. Neither the  
author nor the publisher accepts any liability for any direct, indirect,  
or consequential loss or damage arising from use of, or reliance on,  
this information.  
  
`