Vulnerability Type / Importance: Information Leak and Arbitrary File Disclosure / High
Problem Discovered: 24 September 2007
Vendor Contacted: 28 September 2007
Advisory Published: 05 October 2007
Abstract:
The Webshell4 application from H-Sphere is a content management application, which is accessible via a web interface. The service is vulnerable to an authentication bypass attack that if exploited, can result in arbitrary file disclosure which allows access to files outside the users permitted contents.
Description:
Vulnerability 1:
The Webshell4 application responds with an HTTP "302 Moved Temporarily" message redirecting to the login page when a user tries to access any application resources without prior authentication. However, the actual content of the page is sent together with the "302 Moved Temporarily" response, regardless of the authentication failure. By changing the "302 Moved Temporarily" response to a "200 OK" all requested contents can be read without prior authentication. Although access to specific user resources is not permitted due to the way the authentication is constructed, access to the various application components could potentially lead to information leakage and vulnerability 2 as described below.
Vulnerability 2:
In conjunction with the vulnerability discovered above, an attacker can access any arbitrary files on the file system (with the same permission of the httpd process) hence even bypassing the access control restriction that would otherwise be impose on an authenticated user. This is performed by appending the physical path of the arbitrary file location in the URL parameters of the below mentioned application components:
Full File Access: http://[URL]/webshell4/viewer.php?fn=/etc/passwd&force=txt
Truncated File Access: http://[URL]/webshell4/upeek.php?pwf=/etc/passwd
Vendor & Patch Information:
The vendor has confirmed the vulnerability and has announced that the issues will be fixed in next webshell-4.4 version which will be released with the 3.1 H-Sphere version.
For users which cannot upgrade to H-sphere 3.1 and/or new webshell-4.4 version, the security patch that mitigates this vulnerability can be requested from the vendor - http://www.psoft.net/. No specific URL has been provided.
Workaround:
IRM is not aware of any workaround that will resolve this vulnerability.
Tested/Affected Versions:
HSphere 3.0 Webshell4
Credits:
Research & Advisory: Rodrigo Marcos, Kendric Tang
Disclaimer:
All information in this advisory is provided on an "as is" basis in the hope that it will be useful. Information Risk Management Plc is not responsible for any risks or occurrences caused by the application of this information.