[NEWS] Directory Traversal in Wolfram Research's webMathematica

From: support@securiteam.com
Date: 06/17/02


From: support@securiteam.com
To: list@securiteam.com
Date: Mon, 17 Jun 2002 21:18:26 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Directory Traversal in Wolfram Research's webMathematica
------------------------------------------------------------------------

SUMMARY

There is a vulnerability in the webMathematica software which allows
remote clients (web surfers) to read an arbitrary file on the server
(assuming the httpd-user has permission). This can reveal sensitive
information such as that stored in /etc/passwd, /etc/inetd.conf, system
logs, etc. (These examples are on UNIX -- note that Windows servers are
also vulnerable.)

DETAILS

 <http://www.wolfram.com/> webMathematica is the clear choice for adding
interactive calculations to the web. This unique technology enables you to
create web sites that allow users to compute and visualize results
directly from a web browser.

Based on the world's leading technical computing software and the proven
Java Servlet technology, webMathematica is fully compatible with
Mathematica and state-of-the-art dynamic web systems.

webMathematica generates images based on user input, often involving
mathematical figures or signs which cannot be displayed using normal
ascii-text. Generated images are named a long numeric string (randomly
generated?) and are displayed in the page presented to the user. The ID of
the image is passed to a cgi-script as an argument the URL, as shown
below, and altering this ID can trick the script into displaying other
files on the system.

Exploit:
Example normal URL:
http://www.domain.com/webMathematica/MSP?MSPStoreID=MSPStore888808189_2408042780&MSPStoreType=image/gif

Example exploited URL:
http://www.domain.com/webMathematica/MSP?MSPStoreID=../../../../../etc/passwd&MSPStoreType=image/gif

Note that the normal user would never see the above 'normal' URL, as the
URL only refers the generated image. It is found by viewing the page
source, or through browser-specific methods. In Internet Explorer, for
example, one would right-click on the generated image and click
'Properties'.

Workaround:
Directly reference the generated image, thereby avoiding use of the 'MSP'
script.

Solution:
Upgrade to the latest version of the product.

ADDITIONAL INFORMATION

The information has been provided by <mailto:andrewbadr@hotmail.com>
Andrew Badr.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • Re: FP 2003 + interactive buttons + search
    ... Your MLS search sounds like you will need to use a database ... | displaying the interactive buttons we're using for navigation. ... | I've also been asked to add a search feature for within a web site to enable ...
    (microsoft.public.frontpage.programming)
  • Re: "Page cannot be displayed" banner
    ... Go to Microsoft Product Support Services and perform a title search for the ... topics titled Web Site Setup, Common Administrative Tasks, and About Custom ... > You should also get a copy of WINSOCKXPFIX available at: ... >> Has anyone else experienced this banner displaying within opened webpages ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: FP 2003 + interactive buttons + search
    ... > Your MLS search sounds like you will need to use a database ... > | displaying the interactive buttons we're using for navigation. ... > | I've also been asked to add a search feature for within a web site to ...
    (microsoft.public.frontpage.programming)
  • Re: Internet Explorer and .htaccess directory protection
    ... >I have protected a directory on a web site using .htaccess. ... > displaying the 401 error message? ... can this Internet Explorer setting ... > a limit on the number of times the pop-up window shows up.) ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Directory Traversal in Wolfram Researchs webMathematica
    ... There is a vulnerability in the webMathematica software which allows remote ... clients to read an arbitrary file on the server (assuming the ... and altering this ID can trick the script into displaying other ...
    (Bugtraq)