Vulnerability

    SITEWare

Affected

    ScreamingMedia SITEWare 2.5, 3.0

Description

    Following is based  on Foundstone Labs  Advisory FS-061201-19-SMSW
    by  Mike  Shema.   A  vulnerability  exists  with ScreamingMedia's
    SITEWare Editor's Desktop which  allows for the arbitrary  viewing
    of world-readable files anywhere on the system.

    The  SITEWare  Editor's  Desktop  is  a  web-based  administration
    front-end for ScreamingMedia content.  The listening server can be
    assigned an arbitrary port on which to listen.  The default  login
    page is accessed by the URL:

        /SWEditServlet?station_path=Z&publication_id=2043&template=login.tem

    The   SWEditServlet   usually   accesses   templates   from    the
    "../SITEWare/Control/"  directory;  however,   the  servlet   will
    follow  directory  path  traversal.   Therefore,  by accessing the
    SWEditServlet and requesting an arbitrary template it is  possible
    to  view  the  source  of  that  file.   On  a Solaris system, the
    following resource path will reveal the contents of /etc/passwd:

        /SWEditServlet?station_path=Z&publication_id=2043&template=../../../../../../../../../../../etc/passwd

    As for exploit, from a browser, make the following URL request:

        http://server:port/SWEditServlet?station_path=Z&publication_id=2043&template=../../../../../../../etc/passwd

Solution

    Please contact the vendor for a solution.  Customers should obtain
    upgraded   software   by   contacting   their   customer   support
    representative to obtain patches.