what you don't know can hurt you

Hybris Commerce Software Suite 5.x File Disclosure / Traversal

Hybris Commerce Software Suite 5.x File Disclosure / Traversal
Posted Feb 18, 2015
Site redteam-pentesting.de

Various Hybris Commerce Software Suite 5.x releases suffer from a directory traversal vulnerability that allows for arbitrary file disclosure.

tags | exploit, arbitrary
advisories | CVE-2014-8871
MD5 | f3f0f1d5b0839f2d06e5452a0d4799bb

Hybris Commerce Software Suite 5.x File Disclosure / Traversal

Change Mirror Download
Advisory: Directory Traversal and Arbitrary File Disclosure in hybris
Commerce Software Suite

During a penetration test, RedTeam Pentesting discovered a Directory
Traversal vulnerability in hybris Commerce software suite. This
vulnerability allows attackers to download arbitrary files of any size
from the affected system.


Product: hybris Commerce Software Suite
Affected Versions:
Release 5.3: <=
Release 5.2: <=
Release 5.1.1: <=
Release 5.1: <=
Release 5.0.4: <=
Release 5.0.3: <=
Release 5.0.0: <=
Fixed Versions:
Release 5.3:
Release 5.2:
Release 5.1.1:
Release 5.1:
Release 5.0.4:
Release 5.0.3:
Release 5.0.0:
Vulnerability Type: Directory Traversal, Arbitrary File Disclosure
Security Risk: high
Vendor URL: http://www.hybris.com/
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-016
Advisory Status: published
CVE: CVE-2014-8871
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8871


"hybris delivers a commerce software suite that is best in class,
helping a company execute all its direct selling processes and present a
single view and a unified experience to all its customers."

(from the vendor's homepage)

More Details

Webshops based on hybris may use an image retrieval system where images
are identified by a URL parameter named "context" rather than a file
name. When this system is used, images can be referenced e.g. like the

<img src="/medias/image.jpg?context=bWFzdGVyfHJvb3R8MTIzNDV8aW1hZ2UvanBl
YWU0MWU0NjQ5YjkzNGNhNDk1OTkxYjc4NTJiODU1" alt="[...]" width="200" />

Changing the file name part of the URL from "image.jpg" to e.g.
"redteam.jpg" reveals that not the file name part of the URL, but the
value of the parameter "context" is used to select the desired file.

A closer look at the parameter shows that its value is encoded as
Base64. Decoding it reveals a pipe-separated data structure which
includes a file size (third value), a file name (fifth value) and a
SHA-256 hash (sixth value):

$ echo -n "bWFzdGVyfHJvb3R8MTIzNDV8aW1hZ2UvanBlZ3w3NDE1Njg3MzYxMTcyLmpw\
1OTkxYjc4NTJiODU1" | base64 -d


During the penetration test many parameters were inspected and it turned
out that the SHA-256 hash is used to reference a particular version of
the file, and can be replaced by a dash ("-") character, which always
returns the latest version. The example request can be modified and
requested with curl as follows:

$ echo -n "master|root|12345|image/jpeg|7415687361172.jpg|-" | base64
$ curl -I http://www.example.com/medias/redteam?context=bWFzdGVyfHJvb3R\

It was verified that the file name (fifth) value is vulnerable to
directory traversal. This enables attackers to retrieve the contents of
other files from the server's filesystem by using sequences of "../".
The following HTTP request for example delivers the contents of the file

$ echo -n "master|root|12345|text/plain|../../../../../../etc/passwd|-"\
| base64 -w0

$ curl http://www.example.com/medias/redteam?context=bWFzdGVyfHJvb3R8MT\


The size included in the third field of the data structure is used to
limit the number of bytes returned for a file. As it can be modified by
attackers, files of any size with arbitrary content can be downloaded,
provided the path to the file on the server is known. This enables
attackers to read, among others, the environment of the current process
at /proc/self/environ and the list of memory maps including the full
paths to loaded libraries at /proc/self/maps. This way, knowledge about
a particular instance of hybris can be gathered. Afterwards it is
possible to access configuration files like "local.properties" and the
log files for shop orders which also contain the current session-IDs of
users. Furthermore, the Java bytecode of hybris can be downloaded and

Proof of Concept

curl https://www.example.com/medias/redteam?context=$(base64 -w0 <<< \


Implement a new filter which validates file names and insert this filter
before hybris' own MediaFilter. The new filter should return an error
when a file outside the media directory is requested.


Upgrade to a fixed hybris version or apply the vendor's hot fix.

Security Risk

This vulnerability can be used to download files from the file system of
the server. This includes, among others, configuration files and the
hybris order logfile, which contains sensitive data. Therefore, the
vulnerability poses a high risk.


2014-10-08 Vulnerability identified
2014-10-08 Customer notified vendor
2014-10-29 Vendor released fixed version
2014-11-11 CVE number requested
2014-11-12 Vendor requests more time to notify their customers
2014-11-14 CVE number assigned
2014-12-08 Vendor again requests more time to notify customers
2015-01-12 Vendor notifies customers again, agrees to release advisory
on 2015-02-18
2015-02-17 Vendor requests more time to notify customers for the 3rd
time, RedTeam Pentesting declines
2015-02-18 Advisory released

RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at

RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Dennewartstr. 25-27 Fax : +49 241 510081-99
52068 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen
Login or Register to add favorites

File Archive:

July 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    15 Files
  • 2
    Jul 2nd
    19 Files
  • 3
    Jul 3rd
    12 Files
  • 4
    Jul 4th
    1 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    25 Files
  • 7
    Jul 7th
    35 Files
  • 8
    Jul 8th
    4 Files
  • 9
    Jul 9th
    9 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2020 Packet Storm. All rights reserved.

Security Services
Hosting By