MailPost vulnerable file system information disclosure via HTTP GET request

This document is on an external file. Please click here to access the information.

Vulnerability found:

03 November 2004

Credits:

ProCheckUp

Description:

A vulnerability is reported to exist in MailPost version 5.1.1sv and possibly earlier versions that may permit a remote attacker to verify the existance of files anywhere on the local system.

This information could be used to determine sensitive information about the server's environment.

How to fix:

The CERT/CC is currently unaware of a practical solution to this problem.
It may be possible to mitigate this vulnerability by modifying the information returned in error messages.

Legal:

Copyright 2005 Procheckup Ltd. All rights reserved.
Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to Procheckup, and provided such reproduction and/or distribution is performed for non-commercial purposes
Any other use of this information is prohibited. Procheckup is not liable for any misuse of this information by any third party.