[26050] in bugtraq
Re: CommuniGate Pro directory listings
daemon@ATHENA.MIT.EDU (tfm@tfm.org)
Wed Jul 3 12:38:00 2002
Message-ID: <008101c22273$f4f86c60$2005270a@geniemln2505>
From: <tfm@tfm.org>
To: <bugtraq@securityfocus.com>
Cc: <c0rrect0r@hushmail.com>
Date: Wed, 3 Jul 2002 11:28:06 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_007E_01C22284.B3F376E0"
------=_NextPart_000_007E_01C22284.B3F376E0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Hi, it's not working on 3.5.9 (not a beta release) :
Verified on Linux and Solaris.
TfM
----- Original Message -----
From: <c0rrect0r@hushmail.com>
To: <bugtraq@securityfocus.com>
Sent: Tuesday, July 02, 2002 7:56 AM
Subject: CommuniGate Pro directory listings
> Problem:
> An anonymous user can see the listing of the current and parent directory
of CommuniGatePro WebUser directory.
> Vulnerable:
> All current versions of CommuniGatePro <= 4.0b4
> Details:
> You can get the listing of directory by accessing the CommuiGatePro
webmail for example http://host.com/. or http://host.com/..
------=_NextPart_000_007E_01C22284.B3F376E0
Content-Type: text/plain;
name="cgp_dir.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="cgp_dir.txt"
[tfm@tfm dir]$ telnet 10.39.5.31 80
Trying 10.39.5.31...
Connected to 10.39.5.31.
Escape character is '^]'.
GET /.. HTTP/1.0
HTTP/1.1 404 NotFound
Content-Length: 240
CONNECTION: close
Date: Wed, 03 Jul 2002 07:51:10 GMT
Content-Type: text/html
Server: CommuniGatePro/3.5.9
<HTML>
<HEAD>
<TITLE>CommuniGate Pro User Interface: Error</TITLE>
</HEAD>
<BODY BGCOLOR=3D"#FFCCCC">
<BR><BR>
<H3 ALIGN=3DCENTER>Sorry, the Server failed to retrieve the requested =
data.</H3>
<P><FONT COLOR=3Dred></FONT></P>
</BODY>
</HTML>
Connection closed by foreign host.
[tfm@tfm dir]$ !teln
telnet 10.39.5.31 80
Trying 10.39.5.31...
Connected to 10.39.5.31.
Escape character is '^]'.
GET /../ HTTP/1.0
HTTP/1.1 404 NotFound
Content-Length: 240
CONNECTION: close
Date: Wed, 03 Jul 2002 08:10:29 GMT
Content-Type: text/html
Server: CommuniGatePro/3.5.9
<HTML>
<HEAD>
<TITLE>CommuniGate Pro User Interface: Error</TITLE>
</HEAD>
<BODY BGCOLOR=3D"#FFCCCC">
<BR><BR>
<H3 ALIGN=3DCENTER>Sorry, the Server failed to retrieve the requested =
data.</H3>
<P><FONT COLOR=3Dred></FONT></P>
</BODY>
</HTML>
Connection closed by foreign host.
[tfm@tfm dir]$ telnet 10.39.5.31 80
Trying 10.39.5.31...
Connected to 10.39.5.31.
Escape character is '^]'.
GET http://10.39.5.31/.. HTTP/1.0
Connection closed by foreign host.
[tfm@tfm dir]$ telnet 10.39.5.31 80
Trying 10.39.5.31...
Connected to 10.39.5.31.
Escape character is '^]'.
GET .. HTTP/1.0
Connection closed by foreign host.
[tfm@tfm dir]$ telnet 10.39.5.31 80
Trying 10.39.5.31...
Connected to 10.39.5.31.
Escape character is '^]'.
GET /. HTTP/1.0
HTTP/1.1 404 NotFound
Content-Length: 240
CONNECTION: close
Date: Wed, 03 Jul 2002 07:51:50 GMT
Content-Type: text/html
Server: CommuniGatePro/3.5.9
<HTML>
<HEAD>
<TITLE>CommuniGate Pro User Interface: Error</TITLE>
</HEAD>
<BODY BGCOLOR=3D"#FFCCCC">
<BR><BR>
<H3 ALIGN=3DCENTER>Sorry, the Server failed to retrieve the requested =
data.</H3>
<P><FONT COLOR=3Dred></FONT></P>
</BODY>
</HTML>
Connection closed by foreign host.
[tfm@tfm dir]$ telnet 10.39.5.31 80
Trying 10.39.5.31...
Connected to 10.39.5.31.
Escape character is '^]'.
GET /./ HTTP/1.0
HTTP/1.1 404 NotFound
Content-Length: 240
CONNECTION: close
Date: Wed, 03 Jul 2002 08:10:29 GMT
Content-Type: text/html
Server: CommuniGatePro/3.5.9
<HTML>
<HEAD>
<TITLE>CommuniGate Pro User Interface: Error</TITLE>
</HEAD>
<BODY BGCOLOR=3D"#FFCCCC">
<BR><BR>
<H3 ALIGN=3DCENTER>Sorry, the Server failed to retrieve the requested =
data.</H3>
<P><FONT COLOR=3Dred></FONT></P>
</BODY>
</HTML>
Connection closed by foreign host.
[tfm@tfm dir]$ telnet 10.39.5.31 80
Trying 10.39.5.31...
Connected to 10.39.5.31.
Escape character is '^]'.
GET http://10.39.5.31/. HTTP/1.0
Connection closed by foreign host.
[tfm@tfm dir]$ telnet 10.39.5.31 80
Trying 10.39.5.31...
Connected to 10.39.5.31.
Escape character is '^]'.
GET . HTTP/1.0
Connection closed by foreign host.
[tfm@tfm dir]$
------=_NextPart_000_007E_01C22284.B3F376E0--
