Path disclosure and file access on WebAdmin
WebAdmin is a web application to administer MDaemon and RelayFax. It can be run on its own or as an ISAPI application under Microsoft Internet Information Services (IIS). MDaemon is an e-mail server for Microsoft Windows. RelayFax is a fax server also for Microsoft Windows. Both applications have been developed by the same company than WebAdmin, Alt-N Technologies, and is not included by default with MDaemon, nor with RelayFax.
WebAdmin provides access to the configuration and log files of MDaemon and RelayFax. The web page that lists all the files provide access to these files through a hyperlink similar to:
http://server/WebAdmin.dll?
Session=X&Program=MDaemon&
Directory:Name=C:\MDaemon\App&
File:Name=MDAEMON.INI&View=EditFile
This URL discloses the location where MDaemon or RelayFax is installed.
Also, the WebAdmin.dll does not validate the user input allowing him to craft the URL to access any file. For example:
http://server/WebAdmin.dll?
Session=X&Program=MDaemon&
Directory:Name=C:\WINNT&
File:Name=WIN.INI&View=ViewFile
– The vulnerability would not enable an attacker to gain any privileges on an affected computer.
– An attacker will need to be able to logon with administrative permissions to WebAdmin.
– If WebAdmin it is running under IIS only the files accessible by the user IWAM_MACHINE can be read.
Vendor notified on April 10, 2003.
Vendor replied on April 10, 2003.
WebAdmin 2.0.3 is available since April 14, 2003. This new version patches the «file access» problem but still reveals the directory where MDaemon or RelayFax are installed.
Original Message on BUGTRAQ
Alt-N WebAdmin Remote File Viewing Vulnerability
Alt-N WebAdmin Remote File Disclosure Vulnerability