Minded Security Labs: Advisory #MSA260209 Servlet Exec Multiple Security Issues Tested Versions: Servlet Exec 5.0p06 on Microsoft IIS 6.0 Minded Security ReferenceID: MSA260209 Credits: Discovery by Stefano Di Paola and Giorgio Fedon of Minded Security Stefano Di Paola stefano.dipaola [_at_] mindedsecurity.com discovered the first issue (Path Traversal) and Giorgio Fedon giorgio.fedon [_at_] mindedsecurity.com discovered the second issue (Authentication Bypass) Severity: High: Attackers may be able to read application secrets stored in configuration files or to bypass authentication on the Servlet Exec administrative interface. Solution: Update your installation with July 2010 hotfix: http://www.newatlanta.com/c/products/servletexec/download/hotfix/showHotfixes Summary Minded Security Consultants discovered during a penetration testing activity that New Atlanta Servlet Exec may permit to read system configuration files or to get access to system information without valid credentials. Analysis First Issue: Path Traversal Minded Security consultants were able to access arbitrary files on servlet exec system path by abusing a flaw in the administration help of the ServletExec platform. Infact, by requesting the following url: http:///servlet/pagecompile._admin._help._helpContent_xjsp? page=../../WEB-INF/web.xml It's possible to download the "web.xml" file of an application. Second issue: Authentication Bypass Furthermore we discovered that some functionalities of the Servlet Exec Administrative Interface can be accessed without any valid user credential. By supplying a properly crafted request to the Servlet interface, it's possible to have direct access to precompiled JSP pages stored inside the "Servlet Exec Admin" package. The following request will display the login interface: http:///servlet/pagecompile._admin._login_xjsp It's very important to observe that a direct access to "Servlet Exec Administrative" functionalities, may lead to a full system compromise, if the attacker is be able to deploy his own malicious code on the protected environment. The following request will show the system properties: http:///servlet/pagecompile._admin._vmSystemProperties_xjsp Other examples include, for example, the unauthorized access to the "Log Configuration": http:///servlet/pagecompile._admin._SELogging_xjsp Unauthorized access to Administrative User Management panel: http:///servlet/pagecompile._admin._userMgt_xjsp Access to virtual server management: http:///servlet/pagecompile._admin._virtualServers_xjsp Access to Admin Optional packages configuration section: http:///servlet/pagecompile._admin._optionalPackages_xjsp Access to Data Sources configuration section: http:///servlet/pagecompile._admin._dataSources_xjsp Access to Admin Debug configuration section: http:///servlet/pagecompile._admin._debug_xjsp Disclosure Timeline 26/02/2009 Issue found 29/04/2010 Reported to Vendor Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of Minded Security Research Lab. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail research_at_mindedsecurity.com for permission. Copyright (c) 2010 Minded Security, S.r.l.. All rights reserved worldwide.