Paul J Docherty
02/02/05, 22:25
Portcullis Security Advisory
AREAS UPDATED: VENDOR RESPONSE.
VENDOR RESPONSE:
The product vendor, Bottomline Technologies has provided Portcullis with
the following response to the security advisory. It should be noted that
the resolution of this issue has not been verified by Portcullis:
Bottomline acknowledge that there is a slight risk of exposure of data
via unauthorised report generation. In order to further enhance the
security of the system a service pack will be released in Q1 2005. This
ensures the reporting module no longer passes the path and report
information on the URL line. This information is kept on the server and
passed using the database and additionally the report being executed is
validated against the user entitlements.=20
Contact Bottomline at: support@bottomline.co.uk Tel: +44 (0)1189
258253.
=20
Vulnerable System:=20
=20
Webseries Payment Application
=20
Vulnerability Title: =20
=20
Directory & File Enumeration Via Reporting System
=20
Vulnerability discovery and development:=20
=20
Portcullis Security Testing Services
=20
Affected systems:=20
=20
Bottomline Webseries Payment Application=20
=20
Details:
=20
By manipulating the values of certain variables used during report
selection it was possible enumerate the directory structure on the web
server.
=20
The BTInteractiveViewer.asp script combines the values of the
"ReportPath" and "ReportName" variables to determine the location of the
selected report template.
=20
When a non-existent file is specified in the "ReportName" variable an
error message of "The system cannot find the file specified" is
returned.
=20
When a non-existent directory is specified in the "ReportPath" variable
an error message of "The system cannot find the path specified" is
returned.
=20
When the "ReportName" variable contains the name of a file that exists
in the directory specified in the "ReportPath" variable an error message
of "Unable to load report" is returned.
=20
Impact:
=20
An attacker can use the information obtained by this issue to gain a
better understanding of the structure of the underlying Filesystem of
the web
server. =20
=20
Exploit:
=20
Exploit code not required.
=20
Copyright:=20
=20
Copyright (c) Portcullis Computer Security Limited 2005, All rights
reserved worldwide. Permission is hereby granted for the electronic
redistribution of this information. It is not to be edited or altered in
any way without the express written consent of Portcullis Computer
Security Limited.
=20
Disclaimer:=20
=20
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties, implied or otherwise, with regard to this information
or its use. Any use of this information is at the user's risk. In no
event shall the author/distributor (Portcullis Computer Security
Limited) be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information
************************************************** ***********
The information in this email is confidential and may be
legally privileged. It is intended solely for the addressee.
Any opinions expressed are those of the individual and do not
represent the opinion of the organisation.=20
Access to this email by persons other than the intended
recipient is strictly prohibited.
If you are not the intended recipient, any disclosure, copying,
distribution or other action taken or omitted to be taken in
reliance on it, is prohibited and may be unlawful.=20
When addressed to our clients any opinions or advice contained
in this email is subject to the terms and conditions expressed
in the applicable Portcullis Computer Security Limited terms
of business.
************************************************** ************
AREAS UPDATED: VENDOR RESPONSE.
VENDOR RESPONSE:
The product vendor, Bottomline Technologies has provided Portcullis with
the following response to the security advisory. It should be noted that
the resolution of this issue has not been verified by Portcullis:
Bottomline acknowledge that there is a slight risk of exposure of data
via unauthorised report generation. In order to further enhance the
security of the system a service pack will be released in Q1 2005. This
ensures the reporting module no longer passes the path and report
information on the URL line. This information is kept on the server and
passed using the database and additionally the report being executed is
validated against the user entitlements.=20
Contact Bottomline at: support@bottomline.co.uk Tel: +44 (0)1189
258253.
=20
Vulnerable System:=20
=20
Webseries Payment Application
=20
Vulnerability Title: =20
=20
Directory & File Enumeration Via Reporting System
=20
Vulnerability discovery and development:=20
=20
Portcullis Security Testing Services
=20
Affected systems:=20
=20
Bottomline Webseries Payment Application=20
=20
Details:
=20
By manipulating the values of certain variables used during report
selection it was possible enumerate the directory structure on the web
server.
=20
The BTInteractiveViewer.asp script combines the values of the
"ReportPath" and "ReportName" variables to determine the location of the
selected report template.
=20
When a non-existent file is specified in the "ReportName" variable an
error message of "The system cannot find the file specified" is
returned.
=20
When a non-existent directory is specified in the "ReportPath" variable
an error message of "The system cannot find the path specified" is
returned.
=20
When the "ReportName" variable contains the name of a file that exists
in the directory specified in the "ReportPath" variable an error message
of "Unable to load report" is returned.
=20
Impact:
=20
An attacker can use the information obtained by this issue to gain a
better understanding of the structure of the underlying Filesystem of
the web
server. =20
=20
Exploit:
=20
Exploit code not required.
=20
Copyright:=20
=20
Copyright (c) Portcullis Computer Security Limited 2005, All rights
reserved worldwide. Permission is hereby granted for the electronic
redistribution of this information. It is not to be edited or altered in
any way without the express written consent of Portcullis Computer
Security Limited.
=20
Disclaimer:=20
=20
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties, implied or otherwise, with regard to this information
or its use. Any use of this information is at the user's risk. In no
event shall the author/distributor (Portcullis Computer Security
Limited) be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information
************************************************** ***********
The information in this email is confidential and may be
legally privileged. It is intended solely for the addressee.
Any opinions expressed are those of the individual and do not
represent the opinion of the organisation.=20
Access to this email by persons other than the intended
recipient is strictly prohibited.
If you are not the intended recipient, any disclosure, copying,
distribution or other action taken or omitted to be taken in
reliance on it, is prohibited and may be unlawful.=20
When addressed to our clients any opinions or advice contained
in this email is subject to the terms and conditions expressed
in the applicable Portcullis Computer Security Limited terms
of business.
************************************************** ************