ScreamingMedia's SiteWare Web Publishing System Lets Remote Users View Any Files on the Server
SecurityTracker Alert ID: 1001748|
SecurityTracker URL: http://securitytracker.com/id/1001748
(Links to External Site)
Date: Jun 14 2001
Disclosure of system information, Disclosure of user information|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): 2.5, 2.501, 3.0, 3.01, 3.02, and 3.1; versions prior to 2.5 are no longer supported but may be vulnerable|
Foundstone warned of a vulnerability in ScreamingMedia's SiteWare web server software that allows remote users to view any file on the server.|
The vulnerability reportedly allows remote users to view any world-readable file on the server.
The server's SWEditServlet CGI uses templates that are normally accessed from the "../SITEWare/Control/" directory. A remote user can use "../" characters to traverse the directory structure and specify an arbitrary file to be viewed. The file can reportedly be located anywhere on the server.
For example, the following URL will reportedly return the password file on a Sun Solaris system:
[Editor's note: Please notice that the vendor's older advisory indicates that only files within the web root directory can be accessed but the Foundstone advisory indicates that any file on the server can be accessed.]
A remote user can view world readable files located anywhere on the server.|
The vendor plans to issue fixed versions. See the Vendor URL for the vendor's advisory.|
Vendor URL: www.screamingmedia.com/security/sms1001.php (Links to External Site)
Access control error, Input validation error|
|Underlying OS: Linux (Any), UNIX (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: ScreamingMedia SITEWare arbitrary file retrieval vulnerability|
FS Advisory ID: FS-061201-19-SMSW
Release Date: June 11, 2001
Product: ScreamingMedia SITEWare
Vendor: ScreamingMedia Inc.
Vendor Advisory: http://www.screamingmedia.com/security/sms1001.php
Type: Arbitrary file retrieval vulnerability
Author: Mike Shema (firstname.lastname@example.org)
Foundstone, Inc. (http://www.foundstone.com)
Operating Systems: All operating systems
Vulnerable versions: SITEWare 2.5
A vulnerability exists with ScreamingMedia's SITEWare Editor's
Desktop which allows for the arbitrary viewing of world-
readable files anywhere on the system.
The SITEWare Editor's Desktop is a web-based administration
front-end for ScreamingMedia content. The listening server
can be assigned an arbitrary port on which to listen. The
default login page is accessed by the URL:
The SWEditServlet usually accesses templates from the
"../SITEWare/Control/" directory; however, the servlet will
follow directory path traversal. Therefore, by accessing the
SWEditServlet and requesting an arbitrary template it is
possible to view the source of that file. On a Solaris
system, the following resource path will reveal the contents
Proof of concept
From a browser, make the following URL request:
Please contact the vendor for a solution. Customers should
obtain upgraded software by contacting their customer support
representative to obtain patches.
We would also like to thank ScreamingMedia. for their prompt
reaction to this problem and their co-operation in heightening
security awareness in the security community.
The information contained in this advisory is the copyright
(C) 2001 of Foundstone, Inc. and believed to be accurate at
the time of printing, but no representation or warranty is
given, express or implied, as to its accuracy or
completeness. Neither the author nor the publisher accepts
any liability whatsoever for any direct, indirect or
conquential loss or damage arising in any way from any use
of, or reliance placed on, this information for any purpose.
This advisory may be redistributed provided that no fee is
assigned and that the advisory is not modified in any way.