On 8/16/06, Fritz Borgstedt <[EMAIL PROTECTED]> wrote: > Questions and Answers for users of ASSP Anti-Spam SMTP Proxy > <[email protected]> schreibt: > > > >Note: I did *not* claim to discover the vulnerability - only that it > >has been known for some time and that I was aware of it. I did > >however > >post a detailed write-up of the issue to the Full-Disclosure > >vulnerabilities list, which is how Secunia picked up on it. > > > I absolutely do not understand, what is going on here. > > ME produced a description there: >Input passed to the "file" parameter > in the administration section isn't properly sanitised before being > used to view files. This can be exploited to disclose the content of > arbitrary files from local resources and network shares<. > > > The webinterface is for admins, what are the files, a server admin > should not have browse access to? > >
The problem is that is allows access to files that the ASSP server admin may not normally have access to. Perhaps you delegate the ASSP management to someone else for a while? Using this vulnerability they can access any file that the ASSP service or the user it is running as have access to. An example on *nix would be the /etc/passwd file. "http://127.0.0.1:55555/get?file=/etc/passwd"; It also works over a windows SMB share. "http://127.0.0.1:55555/get?file=\\servername\\sharename\filemane"; Yes, it requires access to the admin interface with a password and thats why it's rated "Not critical". (This part is for everyone else not you Fritz) You can do a few things to mitigate te risk: A) restrict access to the interface using the built-in function or with a firewall B) Set a strong password on the interface and monitor the logs to see if a bored employee is trying to get into it. C) NEVER let the assp interface get accessed from the Internet directly. Anyways this is my opinion, take it or leave it. Kevin ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user
