Directory Traversal Vulnerability in Aconon Mail

vendor:

Aconon Mail

by:

Unknown

7.5

CVSS

HIGH

Directory Traversal

CWE

Product Name: Aconon Mail

Affected Version From: All known versions, tested against 2007 Enterprise SQL 11.7.0 and 2004 Enterprise SQL 11.5.1

Affected Version To: Unknown

Patch Exists: No

Related CWE: Unknown

CPE: aconon-mail

Metasploit:

Other Scripts:

Platforms Tested: Win32, Linux, Solaris

2008

Directory Traversal Vulnerability in Aconon Mail

Aconon Mail is a commercial newsletter software that allows users to access archived emails through a web browser. The template used for processing these emails can be overwritten by any user, allowing for directory traversal attacks. An attacker can modify the 'template' form parameter in the HTTP-GET request to inject arbitrary code or access sensitive files on the server.

Mitigation:

No fix has been published yet. A suggested workaround is to add code to the 'archiv.cgi' file that checks the file extension of the 'template' parameter and rejects non-HTML files. The vendor has been informed about the vulnerability.

Source

Exploit-DB raw data:

Application: aconon(R) Mail

Affected versions: probably all known, tested against 2007 Enterprise
SQL 11.7.0 and 2004 Enterprise SQL 11.5.1

Affected plattforms: every, Aconon runs at (Win32, Linux, Solaris ...)

Exploitation: remote

Description: Aconon Mail is a commercial newsletter software, providing
a feature rich web interface for both, users and administrators. This
includes a public available archive of sent newsletters. Those archived
e-mails may be accessed through the web browser, processed by a template
 engine. The used template may be overwritten by any user, modifying the
HTTP-GET "template" form parameter. This parameter is checked against
code injection, not against directory traversal though.

Proof of Concept:

http://www.aconon.de/mail-demo/archiv.cgi?list=&file=Newsletter-HtmlNachricht.save&template=data/password.pl&link=%3C%3C%3C%3C
vhttp://www.aconon.de/mail-demo/archiv.cgi?list=&file=Newsletter-HtmlNachricht.save&template=../../../../../../etc/passwd&link=%3C%3C%3C%3C

Fix:

No fix has been published yet. However this workaround should patch the
issue:

Add in archiv.cgi below
  $FORM{'template'} =~ s/\|//g;

this code:

  use File::Basename;
  $FORM{'template'} = ($FORM{'template'}) ? basename($FORM{'template'})
: "";
  if ($FORM{'template'} && $FORM{'template'} !~ /\.html$/) {
        &error ("$TXT{'1501'}");
        }

Status: the vendor has been informed.


German readers of the list may also read
http://burnachurch.com/67/directory-traversal-luecke-in-aconon-mail/

P.S. greets to missi - you're great :o)

# milw0rm.com [2008-01-23]