CVE-2021-26293
📋 TL;DR
This vulnerability allows attackers to perform directory traversal attacks when DAV is enabled in AfterLogic Aurora and WebMail Pro. Attackers can create new files, including executable files under the web root, potentially leading to remote code execution. Affected users include all organizations running vulnerable versions with DAV enabled.
💻 Affected Systems
- AfterLogic Aurora
- AfterLogic WebMail Pro
📦 What is this software?
Aurora by Afterlogic
Webmail Pro by Afterlogic
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data exfiltration, and lateral movement within the network.
Likely Case
Webshell deployment allowing persistent access, data theft, and further exploitation of the mail server environment.
If Mitigated
Limited impact with proper network segmentation, file system permissions, and monitoring in place.
🎯 Exploit Status
Exploitation requires DAV access, which typically requires authentication. However, once authenticated, the directory traversal is straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 8.5.3
Vendor Advisory: https://auroramail.wordpress.com/2021/02/03/addressing-dav-related-vulnerability-in-webmail-and-aurora/
Restart Required: Yes
Instructions:
1. Download the latest version from AfterLogic website. 2. Backup your current installation. 3. Replace vulnerable files with patched versions. 4. Restart the web server service.
🔧 Temporary Workarounds
Disable DAV functionality
allDisable WebDAV access if not required for your use case
Edit configuration to disable DAV modules
Remove or rename DAVServer.php/Server.php files
Restrict file system permissions
linuxLimit web server user permissions to prevent file creation in sensitive directories
chmod 755 /var/www
chown root:root /var/www
setfacl -m u:www-data:r-x /var/www
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the mail server from critical systems
- Deploy web application firewall (WAF) rules to detect and block directory traversal attempts
🔍 How to Verify
Check if Vulnerable:
Check if DAV is enabled and version is 8.5.3 or earlier. Review configuration files for DAV settings.Check Version:
Check version in admin panel or review software documentation filesVerify Fix Applied:
Verify version is updated beyond 8.5.3 and test DAV functionality for directory traversal attempts.📡 Detection & Monitoring
Log Indicators:
- Unusual file creation patterns in web root
- DAV requests with '../' sequences
- Webshell file access logs
Network Indicators:
- Unusual outbound connections from mail server
- DAV protocol abuse patterns
SIEM Query:
source="webmail.log" AND ("../" OR "..\" OR "%2e%2e%2f") AND method="PUT" OR method="PROPPATCH"