Web application abuses : DeskNow Mail and Collaboration Server Directory Traversal Vulnerabilities

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.16308

Category: Web application abuses

Title: DeskNow Mail and Collaboration Server Directory Traversal Vulnerabilities

Summary: A directory traversal vulnerability was found in DeskNow webmail; file attachment upload feature that may be exploited to upload files to arbitrary locations on the; server.;; A second directory traversal vulnerability exists in the document repository file delete feature.

Description: Summary:
A directory traversal vulnerability was found in DeskNow webmail
file attachment upload feature that may be exploited to upload files to arbitrary locations on the
server.

A second directory traversal vulnerability exists in the document repository file delete feature.

Vulnerability Impact:
A malicious webmail user may upload a JSP file to the script directory
of the server, and executing it by requesting the URL of the upload JSP file.

The second vulnerability may be exploited to delete arbitrary files on the server.

Solution:
Upgrade to DeskNow version 2.5.14 or newer.

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2005-0332
BugTraq ID: 12421
http://www.securityfocus.com/bid/12421
Bugtraq: 20050202 [SIG^2 G-TEC] DeskNow Mail and Collaboration Server Directory Traversal Vulnerabilities (Google Search)
http://marc.info/?l=bugtraq&m=110737616324614&w=2
http://www.security.org.sg/vuln/desknow2512.html
http://securitytracker.com/id?1013060
http://secunia.com/advisories/14116
XForce ISS Database: desknow-attachmentkey-file-upload(19206)
https://exchange.xforce.ibmcloud.com/vulnerabilities/19206
XForce ISS Database: desknow-filedo-file-deletion(19212)
https://exchange.xforce.ibmcloud.com/vulnerabilities/19212
XForce ISS Database: desknow-jsp-gain-access(19211)
https://exchange.xforce.ibmcloud.com/vulnerabilities/19211

Copyright Copyright (C) 2005 Noam Rathaus

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.16308
Category:	Web application abuses
Title:	DeskNow Mail and Collaboration Server Directory Traversal Vulnerabilities
Summary:	A directory traversal vulnerability was found in DeskNow webmail; file attachment upload feature that may be exploited to upload files to arbitrary locations on the; server.;; A second directory traversal vulnerability exists in the document repository file delete feature.
Description:	Summary: A directory traversal vulnerability was found in DeskNow webmail file attachment upload feature that may be exploited to upload files to arbitrary locations on the server. A second directory traversal vulnerability exists in the document repository file delete feature. Vulnerability Impact: A malicious webmail user may upload a JSP file to the script directory of the server, and executing it by requesting the URL of the upload JSP file. The second vulnerability may be exploited to delete arbitrary files on the server. Solution: Upgrade to DeskNow version 2.5.14 or newer. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2005-0332 BugTraq ID: 12421 http://www.securityfocus.com/bid/12421 Bugtraq: 20050202 [SIG^2 G-TEC] DeskNow Mail and Collaboration Server Directory Traversal Vulnerabilities (Google Search) http://marc.info/?l=bugtraq&m=110737616324614&w=2 http://www.security.org.sg/vuln/desknow2512.html http://securitytracker.com/id?1013060 http://secunia.com/advisories/14116 XForce ISS Database: desknow-attachmentkey-file-upload(19206) https://exchange.xforce.ibmcloud.com/vulnerabilities/19206 XForce ISS Database: desknow-filedo-file-deletion(19212) https://exchange.xforce.ibmcloud.com/vulnerabilities/19212 XForce ISS Database: desknow-jsp-gain-access(19211) https://exchange.xforce.ibmcloud.com/vulnerabilities/19211
Copyright	Copyright (C) 2005 Noam Rathaus