CVE-2006-5487 – Marshal MailMarshal ARJ Extraction Directory Traversal Vulnerability

https://notcve.org/view.php?id=CVE-2006-5487

Directory traversal vulnerability in Marshal MailMarshal SMTP 5.x, 6.x, and 2006, and MailMarshal for Exchange 5.x, allows remote attackers to write arbitrary files via ".." sequences in filenames in an ARJ compressed archive. Vulnerabilidad de salto de directorio en el Marshal MailMarshal SMTP 5.x, 6.x, y 2006, y MailMarshal para Exchange 5.x, permite a atacantes remotos escribir ficheros de su elección mediante secuencias ".." en los nombres de fichero de un archivo comprimido ARJ. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Marshal MailMarshal (formerly of NetIQ). Authentication is not required to exploit this vulnerability. The specific flaw exists within the extraction and scanning of ARJ compressed attachments. Due to incorrect sandboxing of extracted filenames that contain directory traversal modifiers such as "../", an attacker can cause an executable to be created in an arbitrary location. While currently existing files can not be over written, an attacker may leverage this vulnerability in a number of ways. • http://secunia.com/advisories/22806 http://securityreason.com/securityalert/1857 http://securitytracker.com/id?1017209 http://www.marshal.com/kb/article.aspx?id=11450 http://www.securityfocus.com/archive/1/451143/100/0/threaded http://www.securityfocus.com/bid/20999 http://www.vupen.com/english/advisories/2006/4457 http://www.zerodayinitiative.com/advisories/ZDI-06-039.html https://exchange.xforce.ibmcloud.com/vulnerabilities/30188 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •