[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Cobalt Cube Webmail directory traversal (fwd)
- Subject: Re: [cobalt-security] Cobalt Cube Webmail directory traversal (fwd)
- From: shimi <shimi@xxxxxxxxxxxxxxxx>
- Date: Fri, 6 Jul 2001 05:34:42 -0700 (PDT)
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
On Fri, 6 Jul 2001, Gossi The Dog wrote:
>
> FYI. Disable webmail until Cobalt fix this one.
>
> ---------- Forwarded message ----------
> Date: Thu, 05 Jul 2001 03:41:50 -0400
> From: KF <dotslash@xxxxxxxxxxx>
> To: bugtraq@xxxxxxxxxxxxxxxxx, recon@xxxxxxxxxxx
> Subject: Cobalt Cube Webmail directory traversal
>
> I just got a new Cobalt Cube today and I have been poking around at it
> for security issues... I noticed this minor issue in the webmail system.
> Your
> users are not aloud to have shell access by default however if they
> malform their mailbox requests they can read local files with the perms
> of the webserver. If your users have shell access they will not really
> be gaining anything however this could be used to remotely gather
> information for a future attack.
>
> [admin admin]$ uname -a
> Linux cube.ckfr.com 2.2.16C7 #1 Fri Sep 8 15:58:03 PDT 2000 i586 unknown
> [admin admin]$ cat /etc/issue
>
> Cobalt Linux release 6.0 (Carmel)
> Kernel 2.2.16C7 on an i586
>
> http://YOURCOBALTBOX:444/base/webmail/readmsg.php?mailbox=../../../../../../../../../../../../../../etc/passwd&id=1
>
> -KF
>
I'm always shocked to see the amount of programs that doesn't check this
very obvious thing (in microsoft's case, even the webserver itself!!!)
I don't see why the webserver should even UNDERSTAND what ".." is (in a
url, that is).
- shimi.