Advisory: Arbitrary File Disclosure with root Privileges via RdxEngine-API in REDDOXX Appliance RedTeam Pentesting discovered an arbitrary file disclosure vulnerability in the REDDOXX appliance software, which allows unauthenticated attackers to list directory contents and download arbitrary files from the affected system with root permissions. Details ======= Product: REDDOXX Appliance Affected Versions: Build 2032 / v2.0.625, older versions likely affected too Fixed Versions: Version 2032 SP2 Vulnerability Type: Arbitrary File Disclosure Security Risk: high Vendor URL: http://ift.tt/2eHLoXd Vendor Status: patch available Advisory URL: http://ift.tt/2gWWsAc Advisory Status: published CVE: GENERIC-MAP-NOMATCH CVE URL: http://ift.tt/1jQGmEN Introduction ============ "REDDOXX is a leading supplier of solutions for e-mail archiving, encrypted and digitally signed e-mail traffic as well as spam protection. Our focus is on technological innovation: taking our cue from our clients’ requirements our competent and quality-conscious employees strive to offer you the best possible products at all times. Using stringent quality standards and proven processes we keep developing our company and products continuously, with the goal of continuous improvement." (from the vendor's homepage) More Details ============ When using the user frontend of the REDDOXX appliance [0] reachable via http://ift.tt/2usL3eA, HTTP POST requests are used to perform certain actions. For example, the following request is used to save the settings of the current user's profile:
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment