Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:5370
HistoryNov 10, 2003 - 12:00 a.m.

[NT] BEA Tuxedo Administration CGI Multiple Argument Issues

2003-11-1000:00:00
vulners.com
16
JSON

The following security advisory is sent to the securiteam mailing list, and can be found at
the SecuriTeam web site: http://www.securiteam.com

    • promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

BEA Tuxedo Administration CGI Multiple Argument Issues

SUMMARY

The BEA Tuxedo Administration Console is a CGI application that allows the
remote administration of Tuxedo functions. One of the start-up arguments
it accepts is a path to an INI file containing environmental settings. By
entering various path values into this argument, it is possible to:

  • Confirm the existence of files outside of the web server environment.

  • Cause a Denial of Services (DoS) on the web server host.

  • Execute a cross-site scripting (XSS) attack through the application.

DETAILS

Vulnerable systems:

  • BEA Tuxedo version 8.1 and prior

The BEA Tuxedo Administration Console is a CGI application that allows the
remote administration of Tuxedo functions. One of the start-up arguments
that this CGI application accepts is a path to an INI file. This file
contains environmental variables, such as the default installation path of
the Tuxedo application etc.

The INIFILE argument appears not to be checked for any basic formatting
issues such as a path outside of the web root, the use of device names, or
for the presence of HTML constructs.

By entering various path values into the INIFILE argument it is possible
to use the Administration Console to confirm the existence of files
outside of the web server environment, including those on different
logical file systems and even network drives. Through this approach it is
possible to enumerate files, drives and hosts that are contactable by the
target web server, so that they might be used with other exploits.

By using standard device names (CON, AUX, COM1, COM2 etc) within the
arguments, the server thread will become unresponsive until the
service/daemon is restarted.

By using HTML constructs, mobile code such as JAVA can be executed within
the user's context. This style of attack can be used to gain access to
sensitive information, such as session cookies etc.

Proof of concept:
This proof of concept is known to work with a default BEA Tuxedo
installation on a Windows platform. To make it work within different
environments, you may need to alter the path used in the URL
appropriately.

To replicate the XSS issue, initiate a connection to the server that is
hosting the Tuxedo application, and then use the following URL.
http://host/udataobj/webgui/cgi-bin/tuxadm.exe?INIFILE=<
script>alert('XSS')</script>

This should result in an error, accompanied by a popup script dialog
containing the message "XSS".

Recommendations:
The application should be reviewed in line with security best practices,
such as those recommended by the OWASP project, with special consideration
paid to the validation of input, and output fields.

Access to administrative tools such as this should be restricted to
trusted domains only and where possible, should be protected by additional
measures, such as strong authentication.

BEA have released an advisory (
<http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/advisory03_38_00.jsp&gt;
BEA03-38.00) detailing the availability of a patch to correct the issues. This should be
reviewed and if found to be suitable, the patch should be applied.

ADDITIONAL INFORMATION

The information has been provided by <mailto:[email protected]>
Corsaire Advisories.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
[email protected]
In order to subscribe to the mailing list, simply forward this email to:
[email protected]

====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect,
incidental, consequential, loss of business profits or special damages.

JSON