MailTraq Exposes File System
Reported March 22, 2000 by Slash
Mailtraq is a message server aimed at individuals, small and medium sized companies and home offices (SOHOS). Mailtraq’s primary goal is to provide online services to local users by storing incoming and outgoing news and mail messages offline, then connecting to the Internet at controlled intervals to deliver outgoing messages and collect and store incoming messages. Mailtraq provides fully featured Mail, News and Intranet services, full disk logging of all activity, comprehensive firewall facilities plus many other services such as a Finger client, Mail-to-News and News-To-Mail gateways, Web Administration, etc. Mailtraq requires either the Windows NT (Server or Workstation), Windows 95 or Windows 98 operating systems to be running on the machine on which it is loaded.
By default Mailtraq installs it"s Webmail Administration menu which is accessible via http://some.domain.com/$/admin . The problem accoured when We tried to retrive http://some.domain.com/ We configured Mailtraq"s WWW server root directory to be C:\Program Files\Mailtraq\websys\webmail Since that \websys\webmail directory doesn"t contain index.html the server returned the complete file listing of the directory C:\Program Files\Mailtraq\websys\webmail. So we tried to exploit this a little bit, and discovered that anyone can browse and download files on the remote computer running Mailtraq Mail Server.
With a URL such as http://127.0.0.1/./../../../ you should get the complete listing of of files in c:\Program Files\ . According to the discoverers, "When the exploit was tried, we could only browse files from c:\Program Files\ . When we would add some more /../../../ to the exsisting URL we would get a "404 Page not found". We played around with this a little bit and found a way to exploit this too. To get to windows we should add some more /../../../ but a correct directory name was required. So we did it this way: http://127.0.0.1/../../../../../../../../../../././../../././..././.../.../windows/
There is also a bug that allows the remote attacker to find out in what directory is Mailtraq installed in. By inputing a large string after http://some.domain.com/ the server will return the path to Mailtraq"s installation directory.
Esample: http://127.0.0.1/../aaaaaaaaa\[a lot of a"s\]aaaaaaa
The output you should get will look like this:
File "C:\Program Files\Mailtraq\websys\webmail\aaaaaa\[a lot of a"s\]aaaaaa" could not be found
No patch was available as of April 5, 2000.
Reported by Slash