COMMAND

	webMathematica directory traversal

SYSTEMS AFFECTED

	webMathematica ??

PROBLEM

	In Andrew Badr security advisory :
	

	webMathematica generates images based on  user  input,  often  involving
	mathematical figures or signs which cannot  be  displayed  using  normal
	ascii-text. Generated images are named a long numeric  string  (randomly
	generated?) and are displayed in the page presented to the user. The  ID
	of the image is passed to a cgi-script as an argument the URL, as  shown
	below, and altering this ID can trick the script into  displaying  other
	files on the system.
	

	Encoded characters like %20 ( ), %22 (\"), %3B (;) are  all  decoded  in
	the script but I can\'t find  a  way  to  escape  the  display  command,
	whatever it is, to e.g. execute a file.
	

	For different  file  types,  changing  the  MSPStoreType  argument  from
	\"image/gif\" to \"text\" may give better results.
	

	 Exploit

	 =======

	 

	Example normal URL:

	http://www.domain.com/webMathematica/MSP?MSPStoreID=MSPStore888808189_2408042780&MSPStoreType=image/gif

	

	Example exploited URL:

	http://www.domain.com/webMathematica/MSP?MSPStoreID=../../../../../etc/passwd&MSPStoreType=image/gif

	

	

	Note that the normal user would never see the above \'normal\'  URL,  as
	the URL only refers the generated image. It  is  found  by  viewing  the
	page source, or through browser-specific methods. In Internet  Explorer,
	for example, one would right-click on  the  generated  image  and  click
	\'Properties\'.

SOLUTION

	 Workaround

	 ==========

	

	Directly reference the generated image,  thereby  avoiding  use  of  the
	\'MSP\' script.
	

	 Patch

	 =====

	

	See http://www.wolfram.com/