[<prev] [next>] [day] [month] [year] [list]
Message-ID: <003601c30b48$ca196a80$1800a8c0@rosina>
Date: Fri, 25 Apr 2003 17:36:14 +0100
From: David A. Pérez <david@...borio.net>
To: <bugtraq@...urityfocus.com>
Subject: Path disclosure and file access on WebAdmin
WebAdmin is a web application to administer MDaemon and RelayFax. It can be
run on its own or as an ISAPI application under Microsoft Internet
Information Services (IIS). MDaemon is an e-mail server for Microsoft
Windows. RelayFax is a fax server also for Microsoft Windows. Both
applications have been developed by the same company than WebAdmin, Alt-N
Technologies (http://www.altn.com/), and is not included by default with
MDaemon, nor with RelayFax.
WebAdmin provides access to the configuration and log files of MDaemon and
RelayFax. The web page that lists all the files provide access to these
files through a hyperlink similar to:
http://server/WebAdmin.dll?Session=X&Program=MDaemon&Directory:Name=C:\MDaem
on\App&File:Name=MDAEMON.INI&View=EditFile
This URL discloses the location where MDaemon or RelayFax is installed.
Also, the WebAdmin.dll does not validate the user input allowing him to
craft the URL to access any file. For example:
http://server/WebAdmin.dll?Session=X&Program=MDaemon&Directory:Name=C:\WINNT
&File:Name=WIN.INI&View=ViewFile
- The vulnerability would not enable an attacker to gain any privileges on
an affected computer.
- An attacker will need to be able to logon with administrative permissions
to WebAdmin.
- If WebAdmin it is running under IIS only the files accessible by the user
IWAM_MACHINE can be read.
Vendor notified on April 10, 2003.
Vendor replied on April 10, 2003.
WebAdmin 2.0.3 is available since April 14, 2003. This new version patches
the "file access" problem but still reveals the directory where MDaemon or
RelayFax are installed.
David A. Pérez
_ _ _
| | __ __ _ _ __ ___ | |__ ___ _ __ (_) ___
| |/ / / _` || '_ ` _ \ | '_ \ / _ \ | '__|| | / _ \
| < | (_| || | | | | || |_) || (_) || | | || (_) |
|_|\_\ \__,_||_| |_| |_||_.__/ \___/ |_| |_| \___/
El perdón es la venganza de los buenos (anónimo)
http://www.kamborio.com/?Section=Articles&Mode=select&ID=55
Powered by blists - more mailing lists