PT-2019-13037 · Apache+3 · Apache Http Server+3
Daniel Kalinowski
·
Publicado
2019-06-24
·
Atualizado
2019-06-27
·
CVE-2019-12938
CVSS v3.1
4.3
Média
| Vetor | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Analogic Poste.io version 2.1.6
Description
The issue concerns the Roundcube component of Analogic Poste.io, where the protection of the logs/ folder via .htaccess is ineffective when used with the nginx server, as opposed to the Apache HTTP Server. This allows attackers to access logs through the "webmail/logs/sendmail" URI.
Recommendations
For Analogic Poste.io version 2.1.6, consider restricting access to the logs/ folder through alternative means, such as configuring nginx to properly protect the directory, until a more permanent solution is available. As a temporary workaround, restrict access to the "webmail/logs/sendmail" URI to minimize the risk of exploitation.
Exploit
Correção
Protection Mechanism Failure
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Analogic Poste.Io
Apache Http Server
Roundcube
Nginx