Fw: Directory Traversal in Wolfram Research's webMathematica

Patrick Nolan pnolan01 at nycap.rr.com
Mon Jun 17 17:47:09 GMT 2002


fwiw

----- Original Message ----- 
From: "Andrew Badr" <andrewbadr at hotmail.com>
To: <bugtraq at securityfocus.com>
Sent: Monday, June 17, 2002 12:22 PM
Subject: Directory Traversal in Wolfram Research's webMathematica


> Security Advisory
> By Andrew Badr
> -----------------
> 
> SUMMARY:
> 
> There is a vulnerability in the webMathematica software which allows remote 
> clients (web surfers) to read an arbitrary file on the server (assuming the 
> httpd-user has permission). This can reveal sensitive information such as 
> that stored in /etc/passwd, /etc/inetd.conf, system logs, etc. (These 
> examples are on UNIX -- note that Windows servers are also vulnerable.)
> 
> Software Publisher: Wolfram Research
> 
> Software Title: webMathematica
> 
> --
> 
> Software Description: http://www.wolfram.com/  says:
> 
> "webMathematica is the clear choice for adding interactive calculations to 
> the web. This unique technology enables you to create web sites that allow 
> users to compute and visualize results directly from a web browser.
> 
> Based on the world's leading technical computing software and the proven 
> Java Servlet technology, webMathematica is fully compatible with Mathematica 
> and state-of-the-art dynamic web systems."
> 
> 
> --
> 
> Vulnerability type:  Directory traversal
> 
> Vunlerability details: webMathematica generates images based on user input, 
> often involving mathematical figures or signs which cannot be displayed 
> using normal ascii-text. Generated images are named a long numeric string 
> (randomly generated?) and are displayed in the page presented to the user. 
> The ID of the image is passed to a cgi-script as an argument the URL, as 
> shown below, and altering this ID can trick the script into displaying other 
> files on the system.
> 
> --
> 
> Exploit:
> 
> Example normal URL:
> http://www.domain.com/webMathematica/MSP?MSPStoreID=MSPStore888808189_2408042780&MSPStoreType=image/gif
> 
> 
> Example exploited URL:
> http://www.domain.com/webMathematica/MSP?MSPStoreID=../../../../../etc/passwd&MSPStoreType=image/gif
> 
> 
> Note that the normal user would never see the above 'normal' URL, as the URL 
> only refers the generated image. It is found by viewing the page source, or 
> through browser-specific methods. In Internet Explorer, for example, one 
> would right-click on the generated image and click 'Properties'.
> 
> 
> --
> 
> Possible Workaround: Directly reference the generated image, thereby 
> avoiding use of the 'MSP' script.
> 
> Problem Elimination: Wolfram Research was able to fix this problem within 
> hours of notification.
> 
> --
> 
> More info:
> 
> Encoded characters like %20 ( ), %22 ("), %3B (;) are all decoded in the 
> script but I can't find a way to escape the display command, whatever it is, 
> to e.g. execute a file.
> 
> For different file types, changing the MSPStoreType argument from 
> "image/gif" to "text" may give better results.
> 
> --
> 
> The vendor HAS been notified of this vulnerability.
> The software has been fixed.
> 
> 
> ---
> 
> -Andrew Badr
> 
> 
> 
> _________________________________________________________________
> Send and receive Hotmail on your mobile device: http://mobile.msn.com
> 
> 



More information about the unisog mailing list