ActivePost Standard is an interesting communication program for companies. It is constituited by the clients and a central server used for login, messaging, chat, files transfer and conferences.
The file-server runs on port 6004 and is used to upload files on the server so they can be downloaded by the target users. The problem is that an attacker is able to crash the file-server using a filename longer than 4074 chars. The file-server protocol is constituited by data blocks of 4104 bytes and doesn't seem possible to cause more damage.
------------------------------------------------------ B] File-server directory traversal and path disclosure ------------------------------------------------------
This is the most critical vulnerability because lets an attacker to upload malicious files everywhere in the disk on which is installed the ActivePost server overwriting any existing file. That happens exploiting a directory traversal bug in the name of the file to upload using the slash char. Example: /../../../windows/calc.exe The complete real path in which the remote file has been written is ever visible after each upload because this information is directly sent by the server.
Everytime an user enters in the conference menu, the server sends all the informations of the available rooms included the plain-text passwords of those protected. Check the following example data received from the server:
