SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   DeskNow Vendors:   Ventia
DeskNow Mail and Collaboration Server Directory Traversal Flaw Lets Remote Authenticated Users Upload and Delete Arbitrary Files
SecurityTracker Alert ID:  1013060
SecurityTracker URL:  http://securitytracker.com/id/1013060
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Feb 3 2005
Original Entry Date:  Feb 2 2005
Impact:   Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.5.12
Description:   Tan Chew Keong of SIG^2 reported a vulnerability in DeskNow Mail and Collaboration Server. A remote authenticated user can upload files to arbitrary locations on the target server and delete arbitrary files.

The 'attachment.do' script does not properly validate user-supplied input in the 'AttachmentsKey' parameter. A remote authenticated user can supply a specially crafted value containing directory traversal characters to cause a file to be uploaded to an arbitrary location on the target server. If the file includes JSP scripting code, the remote user can later cause the web server to execute the scripting code. The code will run with Local System privileges on Windows-based systems.

The 'file.do' script does not properly validate user-supplied input in the 'select_file' parameter. A remote authenticated user can submit a specially crafted value containing directory traversal characters as part of a POST request to cause files on the target server to be deleted.

The vendor was notified on January 24, 2005.

The original advisory is available at:

http://www.security.org.sg/vuln/desknow2512.html

Impact:   A remote authenticated user can upload files to arbitrary locations on the target server and then cause the web server to execute scripting code in the files.

A remote authenticated user can delete arbitrary files.

Solution:   The vendor has released a fixed version (2.5.14 and later), available at:

http://www.desknow.com/desknowmc/downloads.html

Vendor URL:  www.desknow.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Underlying OS Comments:  Tested only on Windows 2000 SP4

Message History:   None.


 Source Message Contents

Subject:  [SIG^2 G-TEC] DeskNow Mail and Collaboration Server Directory Traversal


SIG^2 Vulnerability Research Advisory

DeskNow Mail and Collaboration Server Directory Traversal Vulnerabilities

by Tan Chew Keong
Release Date: 02 Feb 2005


ADVISORY URL
http://www.security.org.sg/vuln/desknow2512.html


SUMMARY

DeskNow Mail and Collaboration Server 
(http://www.desknow.com/desknowmc/index.html) is a full-featured and 
integrated mail and instant messaging server, with webmail, secure 
instant messaging, document repository, shared calendars, address books, 
message boards, web-publishing, anti-spam features, Palm and PocketPC 
access and much more.

A directory traversal vulnerability was found in DeskNow webmail file 
attachment upload feature that may be exploited to upload files to 
arbitrary locations on the server. A malicious webmail user may upload a 
JSP file to the script directory of the server, and executing it by 
requesting the URL of the upload JSP file. A second directory traversal 
vulnerability exists in the document repository file delete feature. 
This vulnerability may be exploited to delete arbitrary files on the 
server.


TESTED SYSTEM

DeskNow Mail and Collaboration Server Version 2.5.12 on English Win2K SP4


DETAILS

On the Windows platform, the default installation of DeskNow Mail and 
Collaboration Server runs its webmail service using Tomcat Application 
Server with LOCAL SYSTEM privilege. This advisory documents two 
directory traversal vulnerabilities that may be exploited by a malicious 
webmail user to upload/delete files to/from arbitrary directories.


1. Insufficient input sanitization in attachment.do allows file upload 
to arbitrary directories.

DeskNow's webmail allows a logon mail user to upload file attachments 
when composing an email. Lack of sanitization of the AttachmentsKey 
parameter allows the user to upload files to arbitrary location on the 
server.  More specifically, It is possible to use directory traversal 
characters to cause the uploaded file attachment to be saved outside the 
temporary directory. This may be exploited by a malicious webmail user 
to upload JSP files to the script execution directory of the server. 
After uploading the JSP file, it is possible to execute that file by 
directly requesting it's URL (i.e. 
http://[hostname]/desknow/jsp/test/poc.jsp). Successful exploitation 
will allow upload and execution of arbitrary JSP code with LOCAL SYSTEM 
privilege. E.g. a malicious user may upload a JSP file that gives 
him/her a reverse shell.


2. Insufficient input sanitization in file.do allows deleting of 
arbitrary files.

DeskNow's document repository feature allows a user to store files on 
the server via the web interface. A user is allowed to delete his/her 
own files. When the user selects his own file to be deleted, the file 
name is sent using the select_file parameter as a POST request to 
file.do. It is possible to use directory traversal characters within 
this parameter to delete files that do not belong to the user.


PATCH

Upgrade to DeskNow Mail and Collaboration Server Version 2.5.14 or later.


DISCLOSURE TIMELINE

23 Jan 05 - Vulnerability Discovered.
24 Jan 05 - Initial Vendor Notification.
24 Jan 05 - Initial Vendor Reply.
25 Jan 05 - Vendor Released Version 2.5.13.
25 Jan 05 - Informed Vendor that Vulnerability is not Fully Fixed.
27 Jan 05 - Vendor Released Fixed Version 2.5.14.
02 Feb 05 - Public Release


GREETINGS

All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html

"IT Security...the Gathering. By enthusiasts for enthusiasts."
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC