usd-2020-0028 | Mailoptimizer 4.3

Advisory ID: usd-2020-0028
Affected Product: Mailoptimizer
Affected Version: 4.3
Vulnerability Type: Path Traversal
Security Risk: High
Vendor URL: https://www.deutschepost.de/de/m/mailoptimizer.html
Vendor Status: Fixed

Description

A path traversal attack aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files.

Proof of Concept (PoC)

Two possible attack vectors were identified. The first attack vector is exploitable via the website. Here, a user is able to upload zip-archives via the File -> File transfer -> Upload function. Using this vector, only xml-, csv- and txt-files can be extracted. The second vector arises from the MO Connect feature. In this case the content of the imported zip-files is not checked and any compressed file-type will be extracted to an attacker-specified path. By this, it is possible to write xml-configuration files or to deploy tomcat war archives containing malicious code.

Fix

The most effective way to prevent file path traversal vulnerabilities is to avoid passing user-supplied input to the filesystem. The application should validate the archive filenames before processing it. Ideally, the validation should compare against a whitelist of permitted values. If that isn’t possible for the required functionality, then the validation should verify that the input contains only permitted content, such as purely alphanumeric characters. After validating the supplied input, the application should append the input to the base directory and use a platform filesystem API to canonicalize the path. It should verify that the canonicalized path starts with the expected base directory.

Timeline

  • 2020-03-25 This vulnerability was found during a penetration test on one of our customers
  • 2020-10-27 Vendor contact established and vulnerability details provided
  • 2020-10-28 Vendor confirmed vulnerability
  • 2020-11-09 Vendor published patch update
  • 2021-01-29 Security advisory released

Credits

This security vulnerability was found by Lars Neumann of usd AG.

ABOUT usd SECURITY ADVISORIES

In order to protect businesses against hackers and criminals, we always have to keep our skills and knowledge up to date. Thus, security research is just as important for our work as is building up a security community to promote the exchange of knowledge. After all, more security can only be achieved if many individuals take on the task.

Our CST Academy and our usd HeroLab are essential parts of our security mission. We share the knowledge we gain in our practical work and our research through training courses and publications. In this context, the usd HeroLab publishes a series of papers on new vulnerabilities and current security issues.

Always for the sake of our mission: „more security.“

to usd AG


In accordance with usd AG’s Responsible Disclosure Policy, all vendors have been notified of the existence of these vulnerabilities.

Disclaimer

The information provided in this security advisory is provided „as is“ and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible.