webMethods Security Advisory: Glue console directory traversal vu lnerability

2007-04-17T00:00:00
ID SECURITYVULNS:DOC:16743
Type securityvulns
Reporter Securityvulns
Modified 2007-04-17T00:00:00

Description

======================================================================== webMethods Security Advisory Glue console directory traversal vulnerability

Announced: 2007-04-17 Affects: webMethods Glue 4.x, 5.x, 6.x Severity: High

I. Description

On April 11 2007, Patrick Webster reported a vulnerability in Glue on this list.

The vulnerability allows a user to remotely read any file on the server where the Glue server is running. The full text of Patrick's advisory is at http://www.aushack.com/advisories/200704-webmethods.txt.

II. Impact

If an unauthorized attacker can connect to the vulnerable product, they can read any file on the target system by submitting a URL such as http://glueconsole:8080/console?resource=c:\boot.ini or http://glueconsole:8080/console?resource=/etc/passwd. No authentication is required.

III. Workaround

There are several optional workarounds:

(1) Disable the Glue console by editing the configuration files as follows. This will prevent the attack, but limit the usability of the system.

CAUTION: Changing these configuration files may render your system unreliable. Back up all configuration files before making any changes.

Make the following changes to the web.xml file found in glue/WEB-INF:

  • Remove the glue-console servlet definition <servlet> <servlet-name>glue-console</servlet-name> <servlet-class>electric.console.ConsoleServlet</servlet-class> ... </servlet>

  • Remove the glue-console servlet mapping <servlet-mapping> <servlet-name>glue-console</servlet-name> <url-pattern>/console/*</url-pattern> </servlet-mapping>

Make the following changes to the glue-config.xml file found in glue/WEB-INF:

  • Change glue console enablement from "yes" to "no" <console> <!--enable the console by default?--> <enabled>no</enabled> ...

(2) Block access to the /console URL by unauthorized users. This blocking must be implemented using a third party product such as a firewall, and does not exist in webMethods products. This workaround does not prevent authorized users from reading any file on the system.

(3) If the Glue server is running on a UNIX system, run it within a "chroot" environment to limit those files which can be read.

IV. Fix

A fix is not currently available.

V. Versions Affected

webMethods Glue 4.x, 5.x, 6.x

VI. Mitigating Factors

None

VII. Solution

For Glue 6.5.1, a fix will be available by May 1. This alert will be updated and rereleased with the fix information at that time.

For other versions of Glue, contact webMethods Technical Services for assistance.

VIII. Common Criteria

This alert does not apply to the Common Criteria evaluated configuration.

IX. Acknowledgements

This problem was reported by Patrick Webster at www.aushack.com.
webMethods appreciates Patrick's cooperation in reporting this problem and in verifying the vulnerability.

X. Security Alerts

To subscribe to webMethods security alerts, send an email to security-alerts-request@webmethods.com with the word 'SUBSCRIBE' in the body of the message. Alternately, subscribe to the "Security Alerts" forum on webMethods Advantage.

XI. Copyright

Copyright 2007 by webMethods, Inc. Permission is granted for copying and circulating this bulletin to webMethods customers for the purpose of alerting them to those topics covered by this bulletin, if and only if, this bulletin is not edited or changed in any way, is attributed to webMethods, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited.

XI. Revision History

2007-04-17 Initial release

========================================================================