CVE-2021-26294
📋 TL;DR
This vulnerability allows directory traversal attacks in AfterLogic Aurora and WebMail Pro, enabling attackers to read sensitive files like settings.xml containing admin credentials. It affects systems using default caldav_public_user credentials and can be exploited by unauthenticated users. All versions through 7.7.9 are vulnerable.
💻 Affected Systems
- AfterLogic Aurora
- AfterLogic WebMail Pro
📦 What is this software?
Aurora by Afterlogic
Webmail Pro by Afterlogic
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via admin credential theft leading to data exfiltration, account takeover, and potential lateral movement within the network.
Likely Case
Unauthorized access to sensitive configuration files containing credentials, potentially leading to admin panel access and further exploitation.
If Mitigated
Limited impact with proper access controls, network segmentation, and credential rotation in place.
🎯 Exploit Status
Exploit uses simple directory traversal via %2e%2e (URL-encoded '..') in the path parameter. No authentication required when default credentials are present.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 7.7.9
Vendor Advisory: https://afterlogic.com/security-advisory
Restart Required: Yes
Instructions:
1. Upgrade to version after 7.7.9. 2. Apply vendor patches. 3. Restart affected services. 4. Change default credentials.
🔧 Temporary Workarounds
Change default credentials
allChange caldav_public_user password from default to strong unique password
Use admin panel to change password for caldav_public_user account
Restrict access to dav/server.php
linuxBlock or restrict access to vulnerable endpoint via web server configuration
# Apache: <Location /dav/server.php> Deny from all </Location>
# Nginx: location ~ /dav/server.php { deny all; }
🧯 If You Can't Patch
- Change all default credentials immediately, especially caldav_public_user
- Implement network segmentation to isolate affected systems from critical assets
🔍 How to Verify
Check if Vulnerable:
Attempt to access /dav/server.php/files/personal/%2e%2e/data/settings/settings.xml with caldav_public_user credentials. If XML file is returned, system is vulnerable.Check Version:
Check version in admin panel or via package manager: dpkg -l | grep afterlogic or rpm -qa | grep afterlogicVerify Fix Applied:
Attempt same directory traversal after patch - should return error or be blocked. Verify version is >7.7.9.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '/dav/server.php/files/personal/%2e%2e'
- Multiple failed authentication attempts for caldav_public_user
- Access to settings.xml from unusual IPs
Network Indicators:
- Unusual traffic patterns to /dav/server.php endpoint
- Data exfiltration from server containing XML files
SIEM Query:
source="web_logs" AND uri="/dav/server.php/files/personal/%2e%2e"