PT-2019-13037 · Apache+3 · Apache Http Server+3
Daniel Kalinowski
·
Published
2019-06-24
·
Updated
2019-06-27
·
CVE-2019-12938
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Analogic Poste.io version 2.1.6
Description
The issue concerns the Roundcube component of Analogic Poste.io, where the protection of the logs/ folder via .htaccess is ineffective when used with the nginx server, as opposed to the Apache HTTP Server. This allows attackers to access logs through the "webmail/logs/sendmail" URI.
Recommendations
For Analogic Poste.io version 2.1.6, consider restricting access to the logs/ folder through alternative means, such as configuring nginx to properly protect the directory, until a more permanent solution is available. As a temporary workaround, restrict access to the "webmail/logs/sendmail" URI to minimize the risk of exploitation.
Exploit
Fix
Protection Mechanism Failure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Analogic Poste.Io
Apache Http Server
Roundcube
Nginx