usefulfor.com/security

Elastic Path is a popular Java e-commerce platform for building online stores and shopping carts. Elastic Path consists of both a shopping front end where customers can browse and choose the products and a managing backend for administration purposes.

Users of the administrative interface can be granted different levels of access. Research revealed that users with upload/download privileges could abuse them to gain access to arbitrary files in the remote system (read the security advisory - mirror #1, mirror #2).

update: a link to the patch is available in Elastic Path Developer’s site (thanks to d-dub).
update: this vulnerability has been assigned the following CVE number: CVE-2008-1606.

Arbitrary File Download

The script used by Elastic Path when the user requests the download of a file was found to be vulnerable to directory traversal attacks. Insufficient validation in the file parameter could enable an attacker to download arbitrary files from the remote system.

Arbitrary File Upload

The script used by Elastic Path to handle the upload file request was found not to apply sufficient validation to the user input. As a result an attacker could use the importData.jsp file to upload arbitrary files to arbitrary locations in the remote web server.

The input validation filters can be bypassed by submitting a specially crafted file name such as:

../..\..\..\Browser.jsp

File System Browse

Elastic Path provides a script to manage the resource files associated with the products of the shop (fileManager.jsp). Source code inspection revealed that insufficient validation in the dir parameter could allow an attacker browse through the contents of arbitrary locations of the remote drive.

Dependencies

In order to successfully exploit the attack vector described the user must be logged into the Elastic Path manager application. In addition to this, the logged in user should have download or upload rights to exploit the arbitrary file download and upload vulnerabilities described in this document.

Recommendations

It is recommended that all installations of the software be upgraded to a secure version when this is made available by the vendor.

To reduce the level of risk to which users of the software are exposed it is further advised that the application server be run under a system user account with the lowest level of privilege possible.

It is also recommended that, where possible, the Elastic Path manager application should be subject to network level filtering such that only trusted IP addresses can communicate with the service. It should be noted that this is a generic recommendation and is not specific to this technology.

This entry was posted on Monday, March 10th, 2008 at 11:27 am and is filed under Advisories. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.