lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4797F7F4.1090601@toell.net>
Date: Thu, 24 Jan 2008 03:29:08 +0100
From: Arno Töll <lists@...ll.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Directory Traversal Vulnerability in Aconon Mail

Application: aconon(R) Mail

Affected versions: probably all known, tested against 2007 Enterprise
SQL 11.7.0 and 2004 Enterprise SQL 11.5.1

Affected plattforms: every, Aconon runs at (Win32, Linux, Solaris ...)

Exploitation: remote

Description: Aconon Mail is a commercial newsletter software, providing
a feature rich web interface for both, users and administrators. This
includes a public available archive of sent newsletters. Those archived
e-mails may be accessed through the web browser, processed by a template
 engine. The used template may be overwritten by any user, modifying the
HTTP-GET "template" form parameter. This parameter is checked against
code injection, not against directory traversal though.

Proof of Concept:

http://www.aconon.de/mail-demo/archiv.cgi?list=&file=Newsletter-HtmlNachricht.save&template=data/password.pl&link=%3C%3C%3C%3C
vhttp://www.aconon.de/mail-demo/archiv.cgi?list=&file=Newsletter-HtmlNachricht.save&template=../../../../../../etc/passwd&link=%3C%3C%3C%3C

Fix:

No fix has been published yet. However this workaround should patch the
issue:

Add in archiv.cgi below
  $FORM{'template'} =~ s/\|//g;

this code:

  use File::Basename;
  $FORM{'template'} = ($FORM{'template'}) ? basename($FORM{'template'})
: "";
  if ($FORM{'template'} && $FORM{'template'} !~ /\.html$/) {
        &error ("$TXT{'1501'}");
        }

Status: the vendor has been informed.


German readers of the list may also read
http://burnachurch.com/67/directory-traversal-luecke-in-aconon-mail/

P.S. greets to missi - you're great :o)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ