Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Andrew Badr (andrewbadrhotmail.com)
Date: Mon Jun 17 2002 - 11:22:09 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Security Advisory
    By Andrew Badr


    There is a vulnerability in the webMathematica software which allows remote
    clients (web surfers) to read an arbitrary file on the server (assuming the
    httpd-user has permission). This can reveal sensitive information such as
    that stored in /etc/passwd, /etc/inetd.conf, system logs, etc. (These
    examples are on UNIX -- note that Windows servers are also vulnerable.)

    Software Publisher: Wolfram Research

    Software Title: webMathematica


    Software Description: http://www.wolfram.com/ says:

    "webMathematica is the clear choice for adding interactive calculations to the web. This unique technology enables you to create web sites that allow users to compute and visualize results directly from a web browser.

    Based on the world's leading technical computing software and the proven Java Servlet technology, webMathematica is fully compatible with Mathematica and state-of-the-art dynamic web systems."


    Vulnerability type: Directory traversal

    Vunlerability details: webMathematica generates images based on user input, often involving mathematical figures or signs which cannot be displayed using normal ascii-text. Generated images are named a long numeric string (randomly generated?) and are displayed in the page presented to the user. The ID of the image is passed to a cgi-script as an argument the URL, as shown below, and altering this ID can trick the script into displaying other files on the system.



    Example normal URL: http://www.domain.com/webMathematica/MSP?MSPStoreID=MSPStore888808189_2408042780&MSPStoreType=image/gif

    Example exploited URL: http://www.domain.com/webMathematica/MSP?MSPStoreID=../../../../../etc/passwd&MSPStoreType=image/gif

    Note that the normal user would never see the above 'normal' URL, as the URL only refers the generated image. It is found by viewing the page source, or through browser-specific methods. In Internet Explorer, for example, one would right-click on the generated image and click 'Properties'.


    Possible Workaround: Directly reference the generated image, thereby avoiding use of the 'MSP' script.

    Problem Elimination: Wolfram Research was able to fix this problem within hours of notification.


    More info:

    Encoded characters like %20 ( ), %22 ("), %3B (;) are all decoded in the script but I can't find a way to escape the display command, whatever it is, to e.g. execute a file.

    For different file types, changing the MSPStoreType argument from "image/gif" to "text" may give better results.


    The vendor HAS been notified of this vulnerability. The software has been fixed.


    -Andrew Badr

    _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com