CVE-2021-26294 Scanner

AfterLogic Aurora and WebMail Pro are comprehensive email and collaboration platforms, designed for both personal and professional use. They offer a wide range of features including email, calendars, contacts, tasks, and file storage. These products are widely adopted by businesses, educational institutions, and individual users for their versatility and ease of integration with existing IT infrastructures. The software is known for its user-friendly interface and robust functionality, making it a popular choice for those seeking efficient communication and organization tools.

Specifically, this vulnerability exploits the WebDAV EndPoint by using a built-in “caldav_public_user@localhost” username and its predefined password. The attack involves crafting a request that navigates beyond the intended web root directory to access and read files, such as the settings.xml file, which contains critical system settings including administrative credentials and database host information. The vulnerability is a direct result of improper validation of user-supplied input in the file path.

Exploitation of this vulnerability can lead to a range of adverse effects including unauthorized access to admin accounts, database theft, and exposure of sensitive information. Attackers can leverage the disclosed information to perform further attacks, such as data breaches, account takeover, and potentially, gain full control over the affected systems. This underscores the criticality of securing web applications against information disclosure vulnerabilities.

By becoming a member of the securityforeveryone platform, users gain access to comprehensive security scanning capabilities that can detect vulnerabilities like the one found in AfterLogic Aurora and WebMail Pro. Our platform employs state-of-the-art technology to identify and report security weaknesses, helping users to stay ahead of potential threats. Membership offers not just diagnostic insights but also guidance on best practices and remediation strategies to enhance digital asset security.

References

• https://github.com/E3SEC/AfterLogic/blob/main/CVE-2021-26294-exposure-of-sensitive-information-vulnerability.md
• https://nvd.nist.gov/vuln/detail/CVE-2021-26294