Post Wed Mar 27, 2013 9:36 am

HTB23147: Path Traversal in AWS XMS

Advisory ID: HTB23147
Product: AWS XMS
Vendor: aws-dms.com
Vulnerable Versions: 2.5 and probably prior
Tested Version: 2.5
Vendor Notification: March 6, 2013
Vendor Fix: March 16, 2013
Public Disclosure: March 27, 2013
Vulnerability Type: Path Traversal [CWE-22]
CVE Reference: CVE-2013-2474
Risk Level: Medium
CVSSv2 Base Score: 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab


Advisory Details:
High-Tech Bridge Security Research Lab discovered path traversal vulnerability in AWS XMS, which can be exploited to read contents of arbitrary files.

1) Path Traversal in AWS XMS: CVE-2013-2474
The vulnerability exists due to insufficient filtration of "what" HTTP GET parameter passed to "/importer.php" script before using it in PHP "file()" function. A remote attacker can read contents of arbitrary files on the target system.
The vulnerable script sets "text/javascript" Content-Type for the output data, which makes exploitation of the vulnerability via a web browser inconvenient. Exploitation via telnet or wget utilities is easier.
The following PoC (Proof of Concept) code uses wget utility to download source code of "/default.php" file, which contains application configuration data and administrator’s credentials:
  Code:
wget http://[host]/importer.php?what=defaults.php%00.js

To bypass protections against NULL-byte injection (implemented in PHP 5.3.4 and later versions) or enabled "magic_quotes_gpc", alternative techniques based on path normalization and length restrictions can be used.
The second PoC code uses a large amount of '/' symbols (4096 is sufficient for the majority of platforms) to bypass the restrictions and get source code of the "/default.php" file:
  Code:
wget http://[host]/importer.php?what=defaults.php///////...//////.js


Solution:
Upgrade to AWS XMS 2.6

More Information:
http://www.aws-dms.com/temp.php?use=tem ... ml#xms-2.6


References:
[1] High-Tech Bridge Advisory HTB23147 - https://www.htbridge.com/advisory/HTB23147 - Path Traversal in AWS XMS.
[2] AWS XMS - http://www.aws-dms.com/ - XMS is an online visual web development enviroment and framework, providing a web application base, with multi language support, based on XML.
[3] Common Vulnerabilities and Exposures (CVE) - cve.mitre.org - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.