Vulnerability Summary
The following advisory describes an information disclosure found at Fax.de. The vulnerability allowed an unauthenticated user to download other customers’ faxes in the past 24 hours without needing to preform anything more than to visit a directory and download the files found there.
Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Vulnerability Details
By accessing the following URL:
http://ccs.fax.de/TEMP/
An attacker was able to list the fax messages stored on the server.
The problem stemmed from the fact that the server operator at fax.de used load balancing, where one web-server had folder access restrictions for the “TEMP” folder, while the other server did not.
As can be seen the list of PDF files were named with the following naming convention: “105176-2016-03-04-11-11-48-125F.PDF” where:
“105176(Fax.de-ID)-2016-03-04 (year-month-day)-11-11-48(hr-min-sec)-125F(Checksum).PDF”
Vendor Response
The vendor responded with:
My developer tells me that these directories were recently still hidden and he can not explain how this restriction is now gone.
By your note, we could solve the problem quickly and are now eighth much more critical to the shares.
And has addressed the vulnerability so that the directory containing the faxes are no longer visible to users (as a list of files), while the filename can be guessed, it would be quite difficult to do with several values found there would need to be guessed (including the timestamp and checksum).