[15751] in bugtraq
Infosec.20000712.worldclient.2.1
daemon@ATHENA.MIT.EDU (Rikard Carlsson)
Wed Jul 12 14:52:42 2000
Mime-Version: 1.0
Content-type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Message-ID: <4125691A.00387C3A.00@guardianit.se>
Date: Wed, 12 Jul 2000 11:16:57 +0100
Reply-To: rikard.carlsson@INFOSEC.SE
From: Rikard Carlsson <rikard.carlsson@INFOSEC.SE>
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
Infosec Security Vulnerability Report
No: Infosec.20000712.worldclient.2.1
===============================
Vulnerability Summary
---------------------
Problem: The web server for remote access to e-mail in WorldClient 2.1 is
vulnerable for root dot dot. It is possible to read and in some
cases download any file known by name and location on a Windows
NT 4.0.
Threat: An attacker can download a copy of the sam._ file, the repair
SAM database.
Platform: WorldClient 2.1 on Windows NT 4.0,
Solution: Currently there is no patch that corrects this problem. Mr John
Grish,
Technical Support Supervisor at Deerfield.com told me that their
development team is testing and working on this problem in this
moment.
Vulnerability Description
-------------------------
The web server WDaemon/2.1, which is a part of the web-based Email solution
World
Client 2.1 is vulnerable for root dot dot in some cases. When requesting
the URL http://email.victim.com/..\..\..\winnt\repair\sam._ from Linux 2.X and
Netscape 4.08
the sam._ is downloaded.
It seems like this vulnerability is not present when requesting the same URL
from
Windows NT 4.0 with Internet Explorer 4.0 and Netscape Communicator 6.0. When
using
these newer browsers the backslash is automatically exchanged for a forward
slash
and I get a message that I am requesting a forbidden page.
Additional Information
----------------------
Deerfield Technical Support was notified about this vulnerability approximately
two
week ago. For more information about Deerfield and WorldClient, see
http://worldclient.deerfield.com
Reported by: Rikard Carlsson, rikard.carlsson@infosec.se .
-------------------------------
Infosec is a Swedish based tiger team that has been working with information
security
since 1982. Infosec has been doing network penetration tests and technical
audits of
computer systems since 1996. Infosec is now hiring in Sweden and the United
Kingdom.
Please contact Christer Stafferöd for more information. Phone: +46-8-6621070
E-mail: stafferod@infosec.se
__________________________________________________
Backupcentralen byter namn till Guardian iT Sweden
Vi byter också domän till guardianit.se
Mail = xx@guardianit.se
WWW = www.guardianit.com
Backupcentralen will change name to Guardian iT Sweden
Domain will be guardianit.se
Mail = xx@guardianit.se
WWW = www.guardianit.com
__________________________________________________
