search menu icon-carat-right cmu-wordmark

CERT Coordination Center

OpenConnect Webconnect read-only directory traversal vulnerability in jretest.html

Vulnerability Note VU#628411

Original Release Date: 2005-02-21 | Last Revised: 2005-02-21

Overview

OpenConnect Webconnect contains a read-only directory traversal vulnerability in the file jretest.html.

Description

OpenConnect Webconnect provides secured web access and emulation services for backend mainframes and UNIX servers. Versions of Webconnect prior to 6.4.5 and 6.5.1 running on all operating systems have a read-only directory traversal vulnerability. By sending a specially-crafted GET request, INI-style files outside of the web server root directory will be incorrectly parsed and have individual attribute values exposed in an error message.

Files exposed by jretest.html must be formatted in an INI-style format popularized by Microsoft Windows:

[section]
attribute1 = value1
attribute2 = value2, value3, value4

Per the OpenConnect Vendor Statement for VU#628411:

The file being accessed must be in ini-style to be parsed within WebConnect.  The jretest.html page will attempt to retrieve a user configuration value from that file.  When the value is found to be invalid, it is displayed within the returned error html page. This allows the end user to see the value for one key within the ini-style file.  The entire file is not displayed to the user nor can the user manipulate the file in any way. This vulnerability is present in all platform versions of WebConnect but is Windows-focused due to the need for the target file to be ini-style.

Impact

Exploitation of this read-only directory traversal vulnerability discloses limited types of information.

Per the OpenConnect Vendor Statement for VU#628411:

The file being accessed must be in ini-style to be parsed within WebConnect.  The jretest.html page will attempt to retrieve a user configuration value from that file.  When the value is found to be invalid, it is displayed within the returned error html page. This allows the end user to see the value for one key within the ini-style file.  The entire file is not displayed to the user nor can the user manipulate the file in any way. This vulnerability is present in all platform versions of WebConnect but is Windows-focused due to the need for the target file to be ini-style.

Solution

Affected sites should upgrade to a corrected version of WebConnect, versions 6.4.5 and 6.5.1. Licensed users can send mail to OpenConnect technical support mailto: ocs_support@oc.com, or call +1-972-888-0678.

Vendor Information

628411
 

OpenConnect Affected

Notified:  January 01, 2005 Updated: February 20, 2005

Status

Affected

Vendor Statement

Vulnerability Note VU#628411

OpenConnect WebConnect Directory Traversal Vulnerability

Overview

Manipulation of parameters to jretest.html may allow exposure of limited file data outside the WebConnect installation directory.

I. Description

From the OpenConnect webpage:

WebConnect is client-server based software that provides secure browser based emulation to mainframe, midrange and UNIX systems. WebConnect enables enterprise organizations to provide suppliers, partners and employees with secure access to vital applications and information. Enterprises increase productivity and profits, and retain all the advantages of secure host connectivity to new and existing applications in "real-time."

Because WebConnect is non-intrusive, it provides secure SSL encrypted information migration and access without requiring modification to the host. With its patented secure, "persistent connectivity" technology, only WebConnect is capable of supporting tens of thousands of concurrent browser-based users.


WebConnect 6.4.4 and 6.5 do not validate access to product configuration file pathnames outside the installation directory. This can allow the parsing of ini-style files and display of one value from the file in html returned to the user.

II. Impact

The file being accessed must be in ini-style to be parsed within WebConnect. The jretest.html page will attempt to retrieve a user configuration value from that file. When the value is found to be invalid, it is displayed within the returned error html page. This allows the end user to see the value for one key within the ini-style file. The entire file is not displayed to the user nor can the user manipulate the file in any way. This vulnerability is present in all platform versions of WebConnect but is Windows-focused due to the need for the target file to be ini-style.

III. Solution

Update to a corrected version of WebConnect

This vulnerability has been corrected in WebConnect versions 6.4.5 and 6.5.1. Licensed users of WebConnect may contact OpenConnect Technical Support to receive these updated versions.

Credit

Thanks to Dennis Rand of the Danish Computer Incident Response Team for reporting this vulnerability.

This document was written by OpenConnect WebConnect Development based primarily on information provided by Dennis Rand.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Licensed users can send mail to OpenConnect technical support mailto: ocs_support@oc.com, or call +1-972-888-0678.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to Dennis Rand of the Danish Computer Incident Response Team for reporting this vulnerability.

This document was written by Jeff S Havrilla and based on the OpenConnect WebConnect Development team statement, with contributions from Dennis Rand.

Other Information

CVE IDs: CVE-2004-0465
Severity Metric: 2.82
Date Public: 2005-02-21
Date First Published: 2005-02-21
Date Last Updated: 2005-02-21 17:18 UTC
Document Revision: 15

Sponsored by CISA.