| Path disclosure and file access on WebAdmin
Author : David A. Pérez <firstname.lastname@example.org>
WebAdmin is a web application to administer MDaemon and RelayFax. It
run on its own or as an ISAPI application under Microsoft Internet
Information Services (IIS). MDaemon is an e-mail server for Microsoft
Windows. RelayFax is a fax server also for Microsoft Windows. Both
applications have been developed by the same company than WebAdmin, Alt-N
Technologies (http://www.altn.com/), and is not included by default with
MDaemon, nor with RelayFax.
WebAdmin provides access to the configuration and log files of MDaemon
RelayFax. The web page that lists all the files provide access to these
files through a hyperlink similar to:
This URL discloses the location where MDaemon or RelayFax is installed.
Also, the WebAdmin.dll does not validate the user input allowing him
craft the URL to access any file. For example:
- The vulnerability would not enable an attacker to gain any privileges
an affected computer.
- An attacker will need to be able to logon with administrative permissions
- If WebAdmin it is running under IIS only the files accessible by the
IWAM_MACHINE can be read.
Vendor notified on April 10, 2003.
Vendor replied on April 10, 2003.
WebAdmin 2.0.3 is available since April 14, 2003. This new version patches
the "file access" problem but still reveals the directory where
RelayFax are installed.
David A. Pérez
_ _ _