Environment
NetIQ Access Manager 4.2
Situation
A file download vulnerability exists in the Admin Console that would allow a NAM admin user download any file from the Admin Console host using the following code promotion URL
https://<$admin_console_ipaddr>:8443/roma/system/cntl?handler=staging&actionCmd=download&stagingfile=../../../../../../../../../../etc/passwd
This does not happen in 4.3.
https://<$admin_console_ipaddr>:8443/roma/system/cntl?handler=staging&actionCmd=download&stagingfile=../../../../../../../../../../etc/passwd
This does not happen in 4.3.
Resolution
Apply 4.2.3.
The download request is validated for the file name and path traversal is blocked. The following message is now returned:
Requested config was not returned. File name is null or is invalid - ../../../../../etc/passwd
This type of a crafted URL throws an exception in catalina logs:
https://<adminconsole-ip>:8443/roma/system/cntl?handler=staging&actionCmd=download&stagingfile=NAMExportedConfig_2017-01-16_1249.namcfg/../../../../../etc/passwd
Returning exported config to the browser: NAMExportedConfig_2017-01-16_1249.namcfg/../../../../../etc/passwd
java.io.FileNotFoundException: ./namconfig/NAMExportedConfig_2017-01-16_1249.namcfg/../../../../../etc/passwd (Not a directory)
at java.io.FileInputStream.open0(Native Method)
at java.io.FileInputStream.open(FileInputStream.java:195)
at java.io.FileInputStream.<init>(FileInputStream.java:138)
at java.io.FileInputStream.<init>(FileInputStream.java:93)
at com.netiq.nam.staging.handler.StagingHandler.Ì(y:412)
at com.netiq.nam.staging.handler.StagingHandler.processRequest(y:2547)
at com.volera.roma.servlet.GenericController.doGet(y:743)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:624
The download request is validated for the file name and path traversal is blocked. The following message is now returned:
Requested config was not returned. File name is null or is invalid - ../../../../../etc/passwd
This type of a crafted URL throws an exception in catalina logs:
https://<adminconsole-ip>:8443/roma/system/cntl?handler=staging&actionCmd=download&stagingfile=NAMExportedConfig_2017-01-16_1249.namcfg/../../../../../etc/passwd
Returning exported config to the browser: NAMExportedConfig_2017-01-16_1249.namcfg/../../../../../etc/passwd
java.io.FileNotFoundException: ./namconfig/NAMExportedConfig_2017-01-16_1249.namcfg/../../../../../etc/passwd (Not a directory)
at java.io.FileInputStream.open0(Native Method)
at java.io.FileInputStream.open(FileInputStream.java:195)
at java.io.FileInputStream.<init>(FileInputStream.java:138)
at java.io.FileInputStream.<init>(FileInputStream.java:93)
at com.netiq.nam.staging.handler.StagingHandler.Ì(y:412)
at com.netiq.nam.staging.handler.StagingHandler.processRequest(y:2547)
at com.volera.roma.servlet.GenericController.doGet(y:743)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:624