602LAN SUITE Webmail Traversal Arbitrary File Upload
Remote / Network Access
Loss of Integrity,
Loss of Availability
602LAN Suite contains a flaw that allows a remote attacker to upload files to arbitrary directories outside of the web path. The issue is due to the software not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the 'filename' variable when attaching a file to an email. Files uploaded to the cgi-bin directory can be executed remotely by an authenticated user via a URL and will run at the privileges of the web server.
Upgrade to version 2004.0.05.0207 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.