From labs@foundstone.com Wed Jun 13 23:04:07 2001 From: Foundstone Labs To: "'bugtraq@securityfocus.com'" Date: Wed, 13 Jun 2001 12:54:07 -0700 Subject: ScreamingMedia SITEWare arbitrary file retrieval vulnerability [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] FS Advisory ID: FS-061201-19-SMSW Release Date: June 11, 2001 Product: ScreamingMedia SITEWare Vendor: ScreamingMedia Inc. (http://www.screamingmedia.com) Vendor Advisory: http://www.screamingmedia.com/security/sms1001.php Type: Arbitrary file retrieval vulnerability Severity: High Author: Mike Shema (mike.shema@foundstone.com) Foundstone, Inc. (http://www.foundstone.com) Operating Systems: All operating systems Vulnerable versions: SITEWare 2.5 SITEWare 3.0 Foundstone Advisory: http://www.foundstone.com/cgi-bin/display.cgi?Content_ID=326 --------------------------------------------------------------------- Description A vulnerability exists with ScreamingMedia's SITEWare Editor's Desktop which allows for the arbitrary viewing of world- readable files anywhere on the system. Details The SITEWare Editor's Desktop is a web-based administration front-end for ScreamingMedia content. The listening server can be assigned an arbitrary port on which to listen. The default login page is accessed by the URL: /SWEditServlet?station_path=Z&publication_id=2043&template=login.tem The SWEditServlet usually accesses templates from the "../SITEWare/Control/" directory; however, the servlet will follow directory path traversal. Therefore, by accessing the SWEditServlet and requesting an arbitrary template it is possible to view the source of that file. On a Solaris system, the following resource path will reveal the contents of /etc/passwd: /SWEditServlet?station_path=Z&publication_id=2043&template= ../../../../../../../../../../../etc/passwd Proof of concept From a browser, make the following URL request: http://server:port/SWEditServlet?station_path=Z&publication_id=2043& template=../../../../../../../etc/passwd Solution Please contact the vendor for a solution. Customers should obtain upgraded software by contacting their customer support representative to obtain patches. Credits We would also like to thank ScreamingMedia. for their prompt reaction to this problem and their co-operation in heightening security awareness in the security community. Disclaimer The information contained in this advisory is the copyright (C) 2001 of Foundstone, Inc. and believed to be accurate at the time of printing, but no representation or warranty is given, express or implied, as to its accuracy or completeness. Neither the author nor the publisher accepts any liability whatsoever for any direct, indirect or conquential loss or damage arising in any way from any use of, or reliance placed on, this information for any purpose. This advisory may be redistributed provided that no fee is assigned and that the advisory is not modified in any way.