Intershop 4 is vulnerable to a directory traversal (By Maarten Va n Horenbeeck)

[Christian Kahlo <C.Kahlo () intershop de>]

Hello,

securitywatch released a text saying the Intershop 4 e-business solution
is vulnerable to a "directory traversal".

This is definitely not the case.

The original e-mail from Andreas Constantinides on Bugtraq says he just
tried to find bugs by manipulating the URL.

An example URL given by Constantinides is
https://www.xxxxxxxx.com/cgi-bin/buy.storefront/3baecb4a00025ad227a4c30e9501
0642/winnt/cmd.exe?/c+dir+c

This URL is indeed similar to URLs used by the Intershop 4 application
server.
The hexadecimal number between the "CGI name" (it's not really a CGI) and
the
added path is a session id. It is neither possible to escape to the document
or
file system root nor to execute any binaries on the system. We already
double
checked this on monday on an Intershop 4 system using NT and IIS.
Any additions or manipulations to the URL that can not be interpreted as
valid
identifiers by the IS4 application server result in an error message and/or
a new
session depending on the error and customization of the application server.

Furthermore Constantinides states that it was not possible to generate any
abnormal action in the application server by submitting those manipulated
URLs.

It would be appropriate for securitywatch and Maarten Van Horenbeeck to
release a text disclaiming this security hole and explaining the mistake.

All rights to initiate any legal steps are still reserved. 

Kind regards,
Christian Kahlo

-- 
Christian Kahlo, Manager Security, Research and Development
INTERSHOP Communications, 14th Floor, INTERSHOP Tower, D-07740 Jena
Phone: +49-3641-50-3205, Fax: +49-3641-50-1014, GSM: +49-172-79865-42
Intershop(R) Sell Anywhere(tm), http://www.intershop.com