8611793 2002-06-17 11:22 -0500 /98 rader/ Andrew Badr <andrewbadr@hotmail.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-06-17 19:29 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <22673>
Ärende: Directory Traversal in Wolfram Research's webMathematica
------------------------------------------------------------
From: "Andrew Badr" <andrewbadr@hotmail.com>
To: bugtraq@securityfocus.com
Message-ID: <F43qmtWNw3c4sJgnItL0002966b@hotmail.com>
Security Advisory
By Andrew Badr
-----------------
SUMMARY:
There is a vulnerability in the webMathematica software which allows
remote clients (web surfers) to read an arbitrary file on the server
(assuming the httpd-user has permission). This can reveal sensitive
information such as that stored in /etc/passwd, /etc/inetd.conf,
system logs, etc. (These examples are on UNIX -- note that Windows
servers are also vulnerable.)
Software Publisher: Wolfram Research
Software Title: webMathematica
--
Software Description: http://www.wolfram.com/ says:
"webMathematica is the clear choice for adding interactive
calculations to the web. This unique technology enables you to
create web sites that allow users to compute and visualize results
directly from a web browser.
Based on the world's leading technical computing software and the
proven Java Servlet technology, webMathematica is fully compatible
with Mathematica and state-of-the-art dynamic web systems."
--
Vulnerability type: Directory traversal
Vunlerability details: webMathematica generates images based on user
input, often involving mathematical figures or signs which cannot be
displayed using normal ascii-text. Generated images are named a long
numeric string (randomly generated?) and are displayed in the page
presented to the user. The ID of the image is passed to a cgi-script
as an argument the URL, as shown below, and altering this ID can
trick the script into displaying other files on the system.
--
Exploit:
Example normal URL:
http://www.domain.com/webMathematica/MSP?MSPStoreID=MSPStore888808189_2408042780&MSPStoreType=image/gif
Example exploited URL:
http://www.domain.com/webMathematica/MSP?MSPStoreID=../../../../../etc/passwd&MSPStoreType=image/gif
Note that the normal user would never see the above 'normal' URL, as
the URL only refers the generated image. It is found by viewing the
page source, or through browser-specific methods. In Internet
Explorer, for example, one would right-click on the generated image
and click 'Properties'.
--
Possible Workaround: Directly reference the generated image, thereby
avoiding use of the 'MSP' script.
Problem Elimination: Wolfram Research was able to fix this problem
within hours of notification.
--
More info:
Encoded characters like %20 ( ), %22 ("), %3B (;) are all decoded in
the script but I can't find a way to escape the display command,
whatever it is, to e.g. execute a file.
For different file types, changing the MSPStoreType argument from
"image/gif" to "text" may give better results.
--
The vendor HAS been notified of this vulnerability.
The software has been fixed.
---
-Andrew Badr
_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com
(8611793) /Andrew Badr <andrewbadr@hotmail.com>/(Ombruten)