lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <003601c30b48$ca196a80$1800a8c0@rosina>
Date: Fri, 25 Apr 2003 17:36:14 +0100
From: David A. Pérez <david@...borio.net>
To: <bugtraq@...urityfocus.com>
Subject: Path disclosure and file access on WebAdmin


WebAdmin is a web application to administer MDaemon and RelayFax. It can be
run on its own or as an ISAPI application under Microsoft Internet
Information Services (IIS). MDaemon is an e-mail server for Microsoft
Windows. RelayFax is a fax server also for Microsoft Windows. Both
applications have been developed by the same company than WebAdmin, Alt-N
Technologies (http://www.altn.com/), and is not included by default with
MDaemon, nor with RelayFax.

WebAdmin provides access to the configuration and log files of MDaemon and
RelayFax. The web page that lists all the files provide access to these
files through a hyperlink similar to:

http://server/WebAdmin.dll?Session=X&Program=MDaemon&Directory:Name=C:\MDaem
on\App&File:Name=MDAEMON.INI&View=EditFile

This URL discloses the location where MDaemon or RelayFax is installed.

Also, the WebAdmin.dll does not validate the user input allowing him to
craft the URL to access any file. For example:

http://server/WebAdmin.dll?Session=X&Program=MDaemon&Directory:Name=C:\WINNT
&File:Name=WIN.INI&View=ViewFile

- The vulnerability would not enable an attacker to gain any privileges on
an affected computer.

- An attacker will need to be able to logon with administrative permissions
to WebAdmin.

- If WebAdmin it is running under IIS only the files accessible by the user
IWAM_MACHINE can be read.

Vendor notified on April 10, 2003.
Vendor replied on April 10, 2003.

WebAdmin 2.0.3 is available since April 14, 2003. This new version patches
the "file access" problem but still reveals the directory where MDaemon or
RelayFax are installed.

David A. Pérez
 _                       _                   _
| | __  __ _  _ __ ___  | |__    ___   _ __ (_)  ___
| |/ / / _` || '_ ` _ \ | '_ \  / _ \ | '__|| | / _ \
|   < | (_| || | | | | || |_) || (_) || |   | || (_) |
|_|\_\ \__,_||_| |_| |_||_.__/  \___/ |_|   |_| \___/
      El perdón es la venganza de los buenos (anónimo)

http://www.kamborio.com/?Section=Articles&Mode=select&ID=55



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ