{"id":16677,"date":"2021-07-07T13:15:33","date_gmt":"2021-07-07T11:15:33","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2020-0028\/"},"modified":"2021-07-19T14:15:21","modified_gmt":"2021-07-19T12:15:21","slug":"usd-2020-0028","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2020-0028\/","title":{"rendered":"usd-2020-0028"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n

usd-2020-0028 | Mailoptimizer 4.3<\/h1>\n

<\/span>
Advisory ID<\/strong>: usd-2020-0028<\/span>
CVE Number<\/strong>: CVE-2021-28042<\/span>
Affected Product<\/strong>: Mailoptimizer<\/span>
Affected Version<\/strong>: 4.3<\/span>
Vulnerability Type<\/strong>: Path Traversal<\/span>
Security Risk<\/strong>: High<\/span>
Vendor URL<\/strong>: <\/span>https:\/\/www.deutschepost.de\/de\/m\/mailoptimizer.html<\/a>
Vendor Status<\/strong>: Fixed<\/span><\/p>\n

 <\/p>\n

Description<\/h3>\n

A path traversal attack aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with \u201cdot-dot-slash (..\/)\u201d sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files.<\/span><\/p>\n

<\/span><\/p>\n

Proof of Concept (PoC)<\/h3>\n

Two possible attack vectors were identified. The first attack vector is exploitable via the website. Here, a user is able to upload zip-archives via the File -> File transfer -> Upload function. Using this vector, only xml-, csv- and txt-files can be extracted. The second vector arises from the MO Connect feature. In this case the content of the imported zip-files is not checked and any compressed file-type will be extracted to an attacker-specified path. By this, it is possible to write xml-configuration files or to deploy tomcat war archives containing malicious code.<\/span><\/p>\n

<\/span><\/p>\n

<\/span><\/p>\n

\n
\n

Fix<\/h3>\n

The most effective way to prevent file path traversal vulnerabilities is to avoid passing user-supplied input to the filesystem. The application should validate the archive filenames before processing it. Ideally, the validation should compare against a whitelist of permitted values. If that isn\u2019t possible for the required functionality, then the validation should verify that the input contains only permitted content, such as purely alphanumeric characters. After validating the supplied input, the application should append the input to the base directory and use a platform filesystem API to canonicalize the path. It should verify that the canonicalized path starts with the expected base directory.<\/span><\/p>\n

<\/h3>\n

References<\/h3>\n

https:\/\/owasp.org\/www-community\/attacks\/Path_Traversal<\/a><\/p>\n

<\/h3>\n

Timeline<\/h3>\n
    \n
  • 2020-03-25 This vulnerability was found during a penetration test on one of our customers<\/li>\n
  • 2020-10-27 Vendor contact established and vulnerability details provided<\/li>\n
  • 2020-10-28 Vendor confirmed vulnerability<\/li>\n
  • 2020-11-09 Vendor published patch update<\/li>\n
  • 2021-01-29 Security advisory released<\/li>\n<\/ul>\n

    <\/h3>\n

    Credits<\/h3>\n

    This security vulnerability was found by Lars Neumann of usd AG.<\/span><\/p>\n<\/div>\n<\/div>\n

    [\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"][\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"

    usd-2020-0028 | Mailoptimizer 4.3 Advisory ID: usd-2020-0028CVE Number: CVE-2021-28042Affected Product: MailoptimizerAffected Version: 4.3Vulnerability Type: Path TraversalSecurity Risk: HighVendor URL: https:\/\/www.deutschepost.de\/de\/m\/mailoptimizer.htmlVendor Status: Fixed   Description A path traversal attack aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with \u201cdot-dot-slash (..\/)\u201d sequences and its variations […]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-16677","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16677","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=16677"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16677\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=16677"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}