Bugtraq mailing list archives

Infosec.20000712.worldclient.2.1

From: rikard.carlsson () INFOSEC SE (Rikard Carlsson)
Date: Wed, 12 Jul 2000 11:16:57 +0100


Infosec Security Vulnerability Report
No: Infosec.20000712.worldclient.2.1
===============================

Vulnerability Summary
---------------------
Problem:  The web server for remote access to e-mail in WorldClient 2.1 is
               vulnerable for root dot dot. It is possible to read and in some
               cases download any file known by name and location on a Windows
NT 4.0.

Threat:   An attacker can download a copy of the sam._ file, the repair
               SAM database.

Platform:      WorldClient 2.1 on Windows NT 4.0,

Solution:      Currently there is no patch that corrects this problem. Mr John
Grish,
               Technical Support Supervisor at Deerfield.com told me that their
               development team is testing and working on this problem in this
moment.

Vulnerability Description
-------------------------
The web server WDaemon/2.1, which is a part of the web-based Email solution
World
     Client 2.1 is vulnerable for root dot dot in some cases. When requesting
the URL http://email.victim.com/..\..\..\winnt\repair\sam._ from Linux 2.X and
Netscape 4.08
the sam._ is downloaded.
It seems like this vulnerability is not present when requesting the same URL
from
Windows NT 4.0 with Internet Explorer 4.0 and Netscape Communicator 6.0. When
using
these newer browsers the backslash is automatically exchanged for a forward
slash
and I get a message that I am requesting a forbidden page.

Additional Information
----------------------
Deerfield Technical Support was notified about this vulnerability approximately
two
week ago. For more information about Deerfield and WorldClient, see
http://worldclient.deerfield.com
Reported by: Rikard Carlsson, rikard.carlsson () infosec se .

-------------------------------
Infosec is a Swedish based tiger team that has been working with information
security
since 1982. Infosec has been doing network penetration tests and technical
audits of
computer systems since 1996. Infosec is now hiring in Sweden and the United
Kingdom.
Please contact Christer Stafferöd for more information. Phone: +46-8-6621070
E-mail: stafferod () infosec se

__________________________________________________
Backupcentralen byter namn till Guardian iT Sweden
Vi byter också domän till guardianit.se
Mail = xx () guardianit se
WWW =  www.guardianit.com

Backupcentralen will change name to Guardian iT Sweden
Domain will be guardianit.se
Mail = xx () guardianit se
WWW =  www.guardianit.com
__________________________________________________

Current thread:

Re: ftpd: the advisory version, (continued)
- Re: ftpd: the advisory version Carson Gaspar (Jun 30)
  - Re: ftpd: the advisory version Mike Gleason (Jul 02)
  - [RHSA-2000:016-03] Multiple local imwheel vulnerabilities bugzilla () REDHAT COM (Jul 03)
  - Re: ftpd: the advisory version monti (Jul 05)
    - Re: ftpd: the advisory version D. J. Bernstein (Jul 06)
    - Re: ftpd: the advisory version monti (Jul 07)
    - Re: ftpd: the advisory version Mikael Olsson (Jul 07)
    - Re: ftpd: the advisory version David Maxwell (Jul 07)
    - Re: ftpd: the advisory version D. J. Bernstein (Jul 10)
    - Re: ftpd: the advisory version Richard Rager (Jul 11)
    - Infosec.20000712.worldclient.2.1 Rikard Carlsson (Jul 12)
    - ANNOUNCE Apache::ASP v1.95 - Security Hole Fixed J C (Jul 10)
    - Novell Border Manger - Anyone can pose as an authenticated user Coward, Anonymous (Jul 07)
  - [RHSA-2000:042-01] BitchX denial of service vulnerability bugzilla () REDHAT COM (Jul 06)
- Re: ftpd: the advisory version Taneli Huuskonen (Jul 01)
- Re: ftpd: the advisory version D. J. Bernstein (Jul 01)
- Re: ftpd: the advisory version Ron DuFresne (Jul 03)
- Re: ftpd: the advisory version Steven M. Bellovin (Jul 05)