OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Infosec.20000712.worldclient.2.1
From: Rikard Carlsson (rikard.carlssonINFOSEC.SE)
Date: Wed Jul 12 2000 - 05:16:57 CDT


Infosec Security Vulnerability Report
No: Infosec.20000712.worldclient.2.1
===============================

Vulnerability Summary
---------------------
Problem: The web server for remote access to e-mail in WorldClient 2.1 is
               vulnerable for root dot dot. It is possible to read and in some
               cases download any file known by name and location on a Windows
NT 4.0.

Threat: An attacker can download a copy of the sam._ file, the repair
               SAM database.

Platform: WorldClient 2.1 on Windows NT 4.0,

Solution: Currently there is no patch that corrects this problem. Mr John
Grish,
               Technical Support Supervisor at Deerfield.com told me that their
               development team is testing and working on this problem in this
moment.

Vulnerability Description
-------------------------
The web server WDaemon/2.1, which is a part of the web-based Email solution
World
     Client 2.1 is vulnerable for root dot dot in some cases. When requesting
the URL http://email.victim.com/..\..\..\winnt\repair\sam._ from Linux 2.X and
Netscape 4.08
the sam._ is downloaded.
It seems like this vulnerability is not present when requesting the same URL
from
Windows NT 4.0 with Internet Explorer 4.0 and Netscape Communicator 6.0. When
using
these newer browsers the backslash is automatically exchanged for a forward
slash
and I get a message that I am requesting a forbidden page.

Additional Information
----------------------
Deerfield Technical Support was notified about this vulnerability approximately
two
week ago. For more information about Deerfield and WorldClient, see
http://worldclient.deerfield.com
Reported by: Rikard Carlsson, rikard.carlssoninfosec.se .

-------------------------------
Infosec is a Swedish based tiger team that has been working with information
security
since 1982. Infosec has been doing network penetration tests and technical
audits of
computer systems since 1996. Infosec is now hiring in Sweden and the United
Kingdom.
Please contact Christer Stafferöd for more information. Phone: +46-8-6621070
E-mail: stafferodinfosec.se

__________________________________________________
Backupcentralen byter namn till Guardian iT Sweden
Vi byter också domän till guardianit.se
Mail = xxguardianit.se
WWW = www.guardianit.com

Backupcentralen will change name to Guardian iT Sweden
Domain will be guardianit.se
Mail = xxguardianit.se
WWW = www.guardianit.com
__________________________________________________