Hello, securitywatch released a text saying the Intershop 4 e-business solution is vulnerable to a "directory traversal". This is definitely not the case. The original e-mail from Andreas Constantinides on Bugtraq says he just tried to find bugs by manipulating the URL. An example URL given by Constantinides is https://www.xxxxxxxx.com/cgi-bin/buy.storefront/3baecb4a00025ad227a4c30e9501 0642/winnt/cmd.exe?/c+dir+c This URL is indeed similar to URLs used by the Intershop 4 application server. The hexadecimal number between the "CGI name" (it's not really a CGI) and the added path is a session id. It is neither possible to escape to the document or file system root nor to execute any binaries on the system. We already double checked this on monday on an Intershop 4 system using NT and IIS. Any additions or manipulations to the URL that can not be interpreted as valid identifiers by the IS4 application server result in an error message and/or a new session depending on the error and customization of the application server. Furthermore Constantinides states that it was not possible to generate any abnormal action in the application server by submitting those manipulated URLs. It would be appropriate for securitywatch and Maarten Van Horenbeeck to release a text disclaiming this security hole and explaining the mistake. All rights to initiate any legal steps are still reserved. Kind regards, Christian Kahlo -- Christian Kahlo, Manager Security, Research and Development INTERSHOP Communications, 14th Floor, INTERSHOP Tower, D-07740 Jena Phone: +49-3641-50-3205, Fax: +49-3641-50-1014, GSM: +49-172-79865-42 Intershop(R) Sell Anywhere(tm), http://www.intershop.com
