IBM WebSphere MQ File Transfer Insufficent Access Control

Type packetstorm
Reporter Nir Valtman
Modified 2012-08-12T00:00:00


                                            `*Exploit Author:* Nir Valtman  
*Affected Platforms: *Version 7.0.4 and all previous versions of  
WebSphereMQ File Transfer  
on all platforms are affected.  
Apparently they  
published the CVE above without mentioning my name, since I found it in the  
same time while IBM's team found it. This mail contains the exploitation  
methods of the CVE  
*Description:* Malicious user is able to access other user's files and  
*1. Privilege escalation to view other user's files and filespace*  
I logged on using user "user2" (non-administrative account  
with download\upload files permissions only) and then sent a GET request to  
the following URL:  
As a result, the response included the data of "user1".  
*2. Privilege escalation to download user user's files*  
In order to execute the attack, the malicious user should know the file  
name and the related ID before executing the attack.  
In this scenario, The malicious user is "user2" and the attacked user is  
If "user2" knows the url to file of "user1", then he can access this file,  
e.g. "user2" is able to access the following URL using a GET request:  
Best Regards,  
Nir Valtman