webMethods Glue Management Console Directory Traversal

2007.04.19
Risk: Medium
Local: Yes
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

aushack.com - Vulnerability Advisory ----------------------------------------------- Release Date: 11-Apr-2007 Software: webMethods - webMethods Glue Management Console http://www.webmethods.com/ "With webMethods Glue developers can easily create SOAP interfaces for their existing Java and C/C++ applications, and legacy systems can be easily Web service-enabled, allowing reuse. webMethods Glue includes a compact, high-performance implementation of important standards such as HTTP, Servlets, XML, SOAP, WSDL, and UDDI, and interoperates with Microsoft .NET, IBM WebSphere, BEA WebLogic, Apache Axis, and other Web service platforms." Versions affected: Glue 6.5.1 and below. Vulnerability discovered: Directory Traversal. Vulnerability impact: Medium - Read arbitrary system files. Vulnerability information: The webMethods Glue Management Console includes HTML pages via the /console?resource=console/index.html variable, which is prone to a classic traversal attack. Examples: http://glueconsole:8080/console?resource=../../../boot.ini http://glueconsole:8080/console?resource=boot.ini http://glueconsole:8080/console?resource=c:boot.ini Would return the contents of the 'boot.ini' file. Note that 'c:boot.ini' is also valid. It may be possible (but untested) to traverse other volumes. References: aushack.com advisory http://www.aushack.com/advisories/200704-webmethods.txt Credit: Patrick Webster ( patrick (at) aushack (dot) com [email concealed] ) Disclosure timeline: 20-Mar-2007 - Discovered during quick audit. 23-Mar-2007 - Vendor notified. No response. 11-Apr-2007 - Public disclosure. EOF


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top