H-Sphere Webshell4 Information Leakage and Arbitrary File Disclosure Vulnerability
H-Sphere Webshell4 Information Leakage and Arbitrary File Disclosure
Vulnerability
Vulnerability Type / Importance: Information Leak and Arbitrary
File Disclosure / High
Problem Discovered: 24 September 2007
Vendor Contacted: 28 September 2007
Advisory Published: 05 October 2007
Abstract:
The Webshell4 application from H-Sphere is a content management application,
which is accessible via a web interface. The service is vulnerable to an
authentication bypass attack that if exploited, can result in arbitrary file
disclosure which allows access to files outside the users permitted contents.
Description:
Vulnerability 1:
The Webshell4 application responds with an HTTP "302 Moved Temporarily" message
redirecting to the login page when a user tries to access any application
resources without prior authentication. However, the actual content of the page
is sent together with the "302 Moved Temporarily" response, regardless of the
authentication failure. By changing the "302 Moved Temporarily" response to a
"200 OK" all requested contents can be read without prior authentication.
Although access to specific user resources is not permitted due to the way the
authentication is constructed, access to the various application components
could potentially lead to information leakage and vulnerability 2 as described
below.
Vulnerability 2:
In conjunction with the vulnerability discovered above, an attacker can access
any arbitrary files on the file system (with the same permission of the httpd
process) hence even bypassing the access control restriction that would
otherwise be impose on an authenticated user. This is performed by appending the
physical path of the arbitrary file location in the URL parameters of the below
mentioned application components:
Full File Access: http://[URL]/webshell4/viewer.php?fn=/etc/passwd&force=txt
Truncated File Access: http://[URL]/webshell4/upeek.php?pwf=/etc/passwd
Vendor & Patch Information:
The vendor has confirmed the vulnerability and has announced that the issues
will be fixed in next webshell-4.4 version which will be released with the 3.1
H-Sphere version.
For users which cannot upgrade to H-sphere 3.1 and/or new webshell-4.4 version,
the security patch that mitigates this vulnerability can be requested from the
vendor - http://www.psoft.net/. No specific URL has been provided.
Workaround:
IRM is not aware of any workaround that will resolve this vulnerability.
Tested/Affected Versions:
HSphere 3.0 Webshell4
Credits:
Research & Advisory: Rodrigo Marcos, Kendric Tang
Disclaimer:
All information in this advisory is provided on an "as is" basis in the hope
that it will be useful. Information Risk Management Plc is not responsible for
any risks or occurrences caused by the application of this information.