webMethods Glue Management Console Directory Traversal

2007-04-11T00:00:00
ID SECURITYVULNS:DOC:16653
Type securityvulns
Reporter Securityvulns
Modified 2007-04-11T00:00:00

Description

aushack.com - Vulnerability Advisory

Release Date: 11-Apr-2007

Software: webMethods - webMethods Glue Management Console http://www.webmethods.com/

"With webMethods Glue developers can easily create SOAP interfaces for their existing Java and C/C++ applications, and legacy systems can be easily Web service-enabled, allowing reuse. webMethods Glue includes a compact, high-performance implementation of important standards such as HTTP, Servlets, XML, SOAP, WSDL, and UDDI, and interoperates with Microsoft .NET, IBM WebSphere, BEA WebLogic, Apache Axis, and other Web service platforms."

Versions affected: Glue 6.5.1 and below.

Vulnerability discovered:

Directory Traversal.

Vulnerability impact:

Medium - Read arbitrary system files.

Vulnerability information:

The webMethods Glue Management Console includes HTML pages via the /console?resource=console/index.html variable, which is prone to a classic traversal attack.

Examples:

http://glueconsole:8080/console?resource=../../../boot.ini http://glueconsole:8080/console?resource=\boot.ini http://glueconsole:8080/console?resource=c:\boot.ini

Would return the contents of the 'boot.ini' file.

Note that 'c:\boot.ini' is also valid. It may be possible (but untested) to traverse other volumes.

References: aushack.com advisory http://www.aushack.com/advisories/200704-webmethods.txt

Credit: Patrick Webster ( patrick@aushack.com )

Disclosure timeline: 20-Mar-2007 - Discovered during quick audit. 23-Mar-2007 - Vendor notified. No response. 11-Apr-2007 - Public disclosure.

EOF