OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Foundstone Labs (labsfoundstone.com)
Date: Wed Jun 13 2001 - 14:54:07 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    FS Advisory ID: FS-061201-19-SMSW

    Release Date: June 11, 2001

    Product: ScreamingMedia SITEWare

    Vendor: ScreamingMedia Inc.
                            (http://www.screamingmedia.com)

    Vendor Advisory: http://www.screamingmedia.com/security/sms1001.php

    Type: Arbitrary file retrieval vulnerability

    Severity: High

    Author: Mike Shema (mike.shemafoundstone.com)
                            Foundstone, Inc. (http://www.foundstone.com)

    Operating Systems: All operating systems

    Vulnerable versions: SITEWare 2.5
                            SITEWare 3.0

    Foundstone Advisory:
    http://www.foundstone.com/cgi-bin/display.cgi?Content_ID=326
    ---------------------------------------------------------------------

    Description

            A vulnerability exists with ScreamingMedia's SITEWare Editor's
            Desktop which allows for the arbitrary viewing of world-
            readable files anywhere on the system.

    Details

            The SITEWare Editor's Desktop is a web-based administration
            front-end for ScreamingMedia content. The listening server
            can be assigned an arbitrary port on which to listen. The
            default login page is accessed by the URL:

            /SWEditServlet?station_path=Z&publication_id=2043&template=login.tem

            The SWEditServlet usually accesses templates from the
            "../SITEWare/Control/" directory; however, the servlet will
            follow directory path traversal. Therefore, by accessing the
            SWEditServlet and requesting an arbitrary template it is
            possible to view the source of that file. On a Solaris
            system, the following resource path will reveal the contents
            of /etc/passwd:

            /SWEditServlet?station_path=Z&publication_id=2043&template=
            ../../../../../../../../../../../etc/passwd

    Proof of concept

            From a browser, make the following URL request:

            http://server:port/SWEditServlet?station_path=Z&publication_id=2043&
            template=../../../../../../../etc/passwd

    Solution

            Please contact the vendor for a solution. Customers should
            obtain upgraded software by contacting their customer support
            representative to obtain patches.

    Credits

            We would also like to thank ScreamingMedia. for their prompt
            reaction to this problem and their co-operation in heightening
            security awareness in the security community.

    Disclaimer

            The information contained in this advisory is the copyright
            (C) 2001 of Foundstone, Inc. and believed to be accurate at
            the time of printing, but no representation or warranty is
            given, express or implied, as to its accuracy or
            completeness. Neither the author nor the publisher accepts
            any liability whatsoever for any direct, indirect or
            conquential loss or damage arising in any way from any use
            of, or reliance placed on, this information for any purpose.
            This advisory may be redistributed provided that no fee is
            assigned and that the advisory is not modified in any way.