usd-2020-0028 | Mailoptimizer 4.3


Advisory ID: usd-2020-0028
CVE Number: CVE-2021-28042
Affected Product: Mailoptimizer
Affected Version: 4.3
Vulnerability Type: Path Traversal
Security Risk: High
Vendor URL: https://www.deutschepost.de/de/m/mailoptimizer.html
Vendor Status: Fixed

 

Description

A path traversal attack aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files.

Proof of Concept (PoC)

Two possible attack vectors were identified. The first attack vector is exploitable via the website. Here, a user is able to upload zip-archives via the File -> File transfer -> Upload function. Using this vector, only xml-, csv- and txt-files can be extracted. The second vector arises from the MO Connect feature. In this case the content of the imported zip-files is not checked and any compressed file-type will be extracted to an attacker-specified path. By this, it is possible to write xml-configuration files or to deploy tomcat war archives containing malicious code.

Fix

The most effective way to prevent file path traversal vulnerabilities is to avoid passing user-supplied input to the filesystem. The application should validate the archive filenames before processing it. Ideally, the validation should compare against a whitelist of permitted values. If that isn’t possible for the required functionality, then the validation should verify that the input contains only permitted content, such as purely alphanumeric characters. After validating the supplied input, the application should append the input to the base directory and use a platform filesystem API to canonicalize the path. It should verify that the canonicalized path starts with the expected base directory.

References

https://owasp.org/www-community/attacks/Path_Traversal

Timeline

  • 2020-03-25 This vulnerability was found during a penetration test on one of our customers
  • 2020-10-27 Vendor contact established and vulnerability details provided
  • 2020-10-28 Vendor confirmed vulnerability
  • 2020-11-09 Vendor published patch update
  • 2021-01-29 Security advisory released

Credits

This security vulnerability was found by Lars Neumann of usd AG.