Updated: webMethods Security Advisory: Glue console directory traversal vulnerability

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Updated: webMethods Security Advisory: Glue console directory traversal vulnerability
From: "Jeremy Epstein" <jepstein@xxxxxxxxxxxxxx>
Date: Mon, 7 May 2007 16:01:59 -0400
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Thread-index: AceQ4pKB3oXdw1+ATf+bcUxh/xp9bg==
Thread-topic: Updated: webMethods Security Advisory: Glue console directory traversal vulnerability

========================================================================

                  webMethods Security Advisory 
            Glue console directory traversal vulnerability 
 
 
Announced: 2007-04-17
Revised:   2007-05-07
Affects:   webMethods Glue 4.x, 5.x, 6.x
Severity:  High
 

I. Description 
 
On April 11 2007, Patrick Webster reported a vulnerability in Glue
on this list.

The vulnerability allows a user to remotely read any file on the
server where the Glue server is running.  The full text of Patrick's
advisory is at http://www.aushack.com/advisories/200704-webmethods.txt.

This vulnerability has been assigned identifier CVE-2007-2048 in the 
Common Vulnerabilities and Exposures dictionary (http://cve.mitre.org).
 
 
II. Impact 
 
If an unauthorized attacker can connect to the vulnerable product, 
they can read any file on the target system by submitting a URL
such as  http://glueconsole:8080/console?resource=c:\boot.ini
or  http://glueconsole:8080/console?resource=/etc/passwd.  No 
authentication is required.
 
 
III. Workaround 
 
There are several optional workarounds:

(1) Disable the Glue console by editing the configuration files as 
follows.  This will prevent the attack, but limit the usability
of the system.

CAUTION: Changing these configuration files may render your system 
unreliable.  Back up all configuration files before making any changes. 

Make the following changes to the web.xml file found in glue/WEB-INF: 
 
* Remove the glue-console servlet definition 
   <servlet> 
      <servlet-name>glue-console</servlet-name> 
      <servlet-class>electric.console.ConsoleServlet</servlet-class> 
      ... 
   </servlet> 
 
* Remove the glue-console servlet mapping 
   <servlet-mapping> 
      <servlet-name>glue-console</servlet-name> 
      <url-pattern>/console/*</url-pattern> 
    </servlet-mapping> 


Make the following changes to the glue-config.xml file found in
glue/WEB-INF: 
 
* Change glue console enablement from "yes" to "no" 
     <console> 
     <!--enable the console by default?--> 
     <enabled>no</enabled> 
     ... 
 
(2) Block access to the /console URL by unauthorized users.  This 
blocking must be implemented using a third party product such as a 
firewall, and does not exist in webMethods products.  This workaround
does 
not prevent authorized users from reading any file on the system.

(3) If the Glue server is running on a UNIX system, run it within a
"chroot" environment to limit those files which can be read.

 
IV. Fix 

Fix Glue_5-0-2_Fix3 for Glue 5.0 is available for download from 
http://www.webmethods.com/dnld/Glue_5-0-2_Fix3.zip.  After
downloading, follow the instructions in the ZIP file to install the fix.

Glue 6.x is a licensed software product.  Fixes are available to
customers from the Advantage web site (registered customers only).

Questions about these fixes or earlier product versions should be
directed to glue-security@xxxxxxxxxxxxxxx

 
V. Versions Affected 
 
webMethods Glue 4.x, 5.x, 6.x
 
 
VI. Mitigating Factors 
 
None 
 
 
VII. Solution 
 
See section IV above.
 
 
VIII. Common Criteria 
 
This alert does not apply to the Common Criteria evaluated 
configuration. 


IX. Acknowledgements

This problem was reported by Patrick Webster at www.aushack.com.  
webMethods appreciates Patrick's cooperation in reporting this problem 
and in verifying the vulnerability.
 
 
X. Security Alerts 
 
To subscribe to webMethods security alerts, send an email to 
security-alerts-request@xxxxxxxxxxxxxx with the word 'SUBSCRIBE' 
in the body of the message.  Alternately, subscribe to the "Security 
Alerts" forum on webMethods Advantage. 
 
 
XI. Copyright 
 
Copyright 2007 by webMethods, Inc. Permission is granted for copying 
and circulating this bulletin to webMethods customers for the purpose 
of alerting them to those topics covered by this bulletin, if and only 
if, this bulletin is not edited or changed in any way, is attributed 
to webMethods, and provided such reproduction and/or distribution is 
performed for non-commercial purposes. Any other use of this information

is prohibited. 
 
 
XI.     Revision History 
 
2007-04-17 Initial release 
2007-05-07 Added information about how to get the fix, CVE identifier
 
========================================================================

Prev by Date: OTRS <= 2.0.x XSS/XSRF
Next by Date: Re: 12All File Upload Vulnerability
Previous by thread: OTRS <= 2.0.x XSS/XSRF
Next by thread: [ GLSA 200705-07 ] Lighttpd: Two Denials of Service
Index(es):
- Date
- Thread