SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   SiteWare Vendors:   ScreamingMedia Inc.
ScreamingMedia's SiteWare Web Publishing System Lets Remote Users View Any Files on the Server
SecurityTracker Alert ID:  1001748
SecurityTracker URL:  http://securitytracker.com/id/1001748
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 14 2001
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.5, 2.501, 3.0, 3.01, 3.02, and 3.1; versions prior to 2.5 are no longer supported but may be vulnerable
Description:   Foundstone warned of a vulnerability in ScreamingMedia's SiteWare web server software that allows remote users to view any file on the server.

The vulnerability reportedly allows remote users to view any world-readable file on the server.

The server's SWEditServlet CGI uses templates that are normally accessed from the "../SITEWare/Control/" directory. A remote user can use "../" characters to traverse the directory structure and specify an arbitrary file to be viewed. The file can reportedly be located anywhere on the server.

For example, the following URL will reportedly return the password file on a Sun Solaris system:

http://server:port/SWEditServlet?station_path=Z&publication_id=2043&template=../../../../../../../etc/passwd

[Editor's note: Please notice that the vendor's older advisory indicates that only files within the web root directory can be accessed but the Foundstone advisory indicates that any file on the server can be accessed.]

Impact:   A remote user can view world readable files located anywhere on the server.
Solution:   The vendor plans to issue fixed versions. See the Vendor URL for the vendor's advisory.
Vendor URL:  www.screamingmedia.com/security/sms1001.php (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(A Similar Vulnerability Discloses SiteWare Authentication Data) Re: ScreamingMedia's SiteWare Web Publishing System Lets Remote Users View Any Files on the Server
There is a similar vulnerability in SiteWare. This one may disclose the application's authentication data to remote users.



 Source Message Contents

Subject:  ScreamingMedia SITEWare arbitrary file retrieval vulnerability


FS Advisory ID:         FS-061201-19-SMSW

Release Date:           June 11, 2001

Product:                ScreamingMedia SITEWare

Vendor:                 ScreamingMedia Inc.
                        (http://www.screamingmedia.com)

Vendor Advisory:        http://www.screamingmedia.com/security/sms1001.php

Type:                   Arbitrary file retrieval vulnerability

Severity:               High

Author:                 Mike Shema (mike.shema@foundstone.com)
                        Foundstone, Inc. (http://www.foundstone.com)

Operating Systems:      All operating systems

Vulnerable versions:    SITEWare 2.5
                        SITEWare 3.0

Foundstone Advisory:
http://www.foundstone.com/cgi-bin/display.cgi?Content_ID=326
---------------------------------------------------------------------

Description

        A vulnerability exists with ScreamingMedia's SITEWare Editor's
        Desktop which allows for the arbitrary viewing of world-
        readable files anywhere on the system.

Details

        The SITEWare Editor's Desktop is a web-based administration
        front-end for ScreamingMedia content.  The listening server
        can be assigned an arbitrary port on which to listen.  The
        default login page is accessed by the URL:

        /SWEditServlet?station_path=Z&publication_id=2043&template=login.tem

        The SWEditServlet usually accesses templates from the
        "../SITEWare/Control/" directory; however, the servlet will
        follow directory path traversal.  Therefore, by accessing the
        SWEditServlet and requesting an arbitrary template it is
        possible to view the source of that file.  On a Solaris
        system, the following resource path will reveal the contents
        of /etc/passwd:

        /SWEditServlet?station_path=Z&publication_id=2043&template=
        ../../../../../../../../../../../etc/passwd

Proof of concept

        From a browser, make the following URL request:

        http://server:port/SWEditServlet?station_path=Z&publication_id=2043&
        template=../../../../../../../etc/passwd

Solution

        Please contact the vendor for a solution. Customers should
        obtain upgraded software by contacting their customer support
        representative to obtain patches.

Credits

	We would also like to thank ScreamingMedia. for their prompt
        reaction to this problem and their co-operation in heightening
        security awareness in the security community.

Disclaimer

        The information contained in this advisory is the copyright
        (C) 2001 of Foundstone, Inc. and believed to be accurate at
        the time of printing, but no representation or warranty is
        given, express or implied, as to its accuracy or
        completeness. Neither the author nor the publisher accepts
        any liability whatsoever for any direct, indirect or
        conquential loss or damage arising in any way from any use
        of, or reliance placed on, this information for any purpose.
        This advisory may be redistributed provided that no fee is
        assigned and that the advisory is not modified in any way.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC