mailing list archives
SPAMINA EMAIL FIREWALL 220.127.116.11 - Directory Traversal -
From: sisco.barrera () gmail com
Date: Tue, 7 Jan 2014 14:57:31 GMT
Vulnerability in the web application of Spamina email firewall.
Vulnerability Type: Directory Traversal
- Original release date: October 3th, 2013
- Last revised: December 9th, 2013
- Discovered by: Sisco Barrera - A2SECURE
Products and affected versions:
SPAMINA EMAIL FIREWALL 18.104.22.168 (maybe other versions also vulnerable)
Vulnerability Discovered by: Sisco Barrera - sisco.barrera () gmail com
Company: A2SECURE - España
A2Secure Website: http://www.a2secure.com
Vendor Website: http://www.spamina.com
Application Website: http://es.spamina.com/es/products.php?pob=CloudEmailFirewall
Spamina is a global leader in offering innovative Cloud-based E-mail & Web security solutions. Our security solutions
help organizations to instantly secure and manage their information while maintaining compliance and corporate
policies. Spamina solutions include Cloud Email Firewall, Cloud Email Encryption & DLP, Cloud Email Archiving and Cloud
Web Security to provide Web traffic filtering.
A directory-traversal attack is based on the premise that web clients are limited to specific directories within the
Windows files system. The initial directory access by web clients is known as the root directory on a web server. This
root directory typically stores the home page usually known as Default or Index, as well as other HTML documents for
the web server. The web server should allow users to access only these specific directories and subdirectories of root.
However, a directory- traversal attack permits access to other directories within the file system. The encoded version
of / (slash) in ../ directory traversal request (%2E%2E%2F) seems to be now fixed, after our previous alert.
Spamina should define access rights to private folders on the web server, implement a special characters filtering,
apply patches and hotfixes.
Proof of Concepts
This URLs just show the directory traversal are this:
All information is provided without warranty. The intent is to provide information to secure infrastructure and/or
systems, not to be able to attack or damage. Therefore A2Secure shall not be liable for any direct or indirect damages
that might be caused by using this information.
- SPAMINA EMAIL FIREWALL 22.214.171.124 - Directory Traversal - sisco . barrera (Jan 07)