Directory Traversal in Axigen v7.4.1 running on Windows

We are continuing with the list of security vulnerabilities found in a number of web applications while testing our latest version of Acunetix WVS v7 . In this blog post, we will look into the details of a very serious web vulnerability discovered by Acunetix WVS in Axigen.

Axigen is an integrated email, calendaring & collaboration platform, masterfully built on our unique Linux mail server technology, for increased speed & security.
Axigen Webmail version 7.4.1 is vulnerable to a directory traversal vulnerability. Only Axigen installations running on Windows platforms are affected. By URL encoding the “\” character to %5C it’s possible to bypass the directory traversal protection available in this application. Our scanner reported the following alert:

By requesting the following URL (/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows/win.ini) it’s possible to read the contents of file c:\windows\win.ini. Using this encoding trick it’s possible to traverse directories and see the contents of any file that is readable by the web server user.
Here is a sample HTTP request:
GET http://192.168.0.222:80/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows/win.ini HTTP/1.1
Cookie: webmailSession=0; cookieTest=cookiesEnabled; checkOverQuota=0; passwordExpireWarning=0
Host: 192.168.0.222:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)

While investigating this alert, (continue reading...)