ScreamingMedia SITEWare arbitrary file retrieval vulnerability

[Foundstone Labs <labs () foundstone com>]

FS Advisory ID:         FS-061201-19-SMSW

Release Date:           June 11, 2001

Product:                ScreamingMedia SITEWare

Vendor:                 ScreamingMedia Inc.
                        (http://www.screamingmedia.com)

Vendor Advisory:        http://www.screamingmedia.com/security/sms1001.php

Type:                   Arbitrary file retrieval vulnerability

Severity:               High

Author:                 Mike Shema (mike.shema () foundstone com)
                        Foundstone, Inc. (http://www.foundstone.com)

Operating Systems:      All operating systems

Vulnerable versions:    SITEWare 2.5
                        SITEWare 3.0

Foundstone Advisory:
http://www.foundstone.com/cgi-bin/display.cgi?Content_ID=326
---------------------------------------------------------------------

Description

        A vulnerability exists with ScreamingMedia's SITEWare Editor's
        Desktop which allows for the arbitrary viewing of world-
        readable files anywhere on the system.

Details

        The SITEWare Editor's Desktop is a web-based administration
        front-end for ScreamingMedia content.  The listening server
        can be assigned an arbitrary port on which to listen.  The
        default login page is accessed by the URL:

        /SWEditServlet?station_path=Z&publication_id=2043&template=login.tem

        The SWEditServlet usually accesses templates from the
        "../SITEWare/Control/" directory; however, the servlet will
        follow directory path traversal.  Therefore, by accessing the
        SWEditServlet and requesting an arbitrary template it is
        possible to view the source of that file.  On a Solaris
        system, the following resource path will reveal the contents
        of /etc/passwd:

        /SWEditServlet?station_path=Z&publication_id=2043&template=
        ../../../../../../../../../../../etc/passwd

Proof of concept

        From a browser, make the following URL request:

        http://server:port/SWEditServlet?station_path=Z&publication_id=2043&;
        template=../../../../../../../etc/passwd

Solution

        Please contact the vendor for a solution. Customers should
        obtain upgraded software by contacting their customer support
        representative to obtain patches.

Credits

        We would also like to thank ScreamingMedia. for their prompt
        reaction to this problem and their co-operation in heightening
        security awareness in the security community.

Disclaimer

        The information contained in this advisory is the copyright
        (C) 2001 of Foundstone, Inc. and believed to be accurate at
        the time of printing, but no representation or warranty is
        given, express or implied, as to its accuracy or
        completeness. Neither the author nor the publisher accepts
        any liability whatsoever for any direct, indirect or
        conquential loss or damage arising in any way from any use
        of, or reliance placed on, this information for any purpose.
        This advisory may be redistributed provided that no fee is
        assigned and that the advisory is not modified in any way.