# Exploit Title: Vordel XML Gateway version 6.03 Directory Traversal
# Date: 2011-05-24 01:36:48 PM
# Exploit Author: BrianWGray
# Contact: https://twitter.com/BrianWGray
# upSploit Ref: UPS-2011-0023
# CVE : na

*Advisory Summary*

Unauthenticated generic web server directory traversal in Vordel XML gateway version 6.03 management interface port 8090 compounded with the service running as root provides full file system access to the system which allows for full access password and configuration files.

*Vendor*

Vordel

*Affected Software*

Vordel Gateway 6.03

http://www.vordel.com/products/gateway/index.html
Vordel Gateway is a purpose-built Gateway, often referred to as an XML Gateway or SOA appliance, available in multiple form factors, designed to accelerate, secure and integrate all types of traffic on the SOA network. It offers policy-driven efficient processing of SOAP, REST, XML and other data formats; protocol and content transformation on the wire; XML filtering and access control to services and enables organizations to govern their SOA infrastructure. Deployable standalone or as an integral component of a strategic enterprise SOA infrastructure, the XML Gateway/SOA appliance interfaces with Enterprise Service Buses, Enterprise Management, and Identity Management platforms. Easy to install and maintain, it offers the greatest deployment flexibility possible, and is available as a hardened network appliance, software, virtual appliance or an Amazon AMI.

*Description of Issue*

It has been determined that by providing an encoded URL request system files are exposed via the management port 8090. Default configuration amplifies the issue by running services as the root user extends what this traversal has access too.

*PoC*

http://x.x.x.x:8090/manager/..%2f..%2f..%2f..%2f..%2f..%2fetc%2fshadow

Encoding slashes with ‘% 2 f’

*Credits*

Brian W. Gray
@BrianWGray

Note: Initial release via upsploit included typo Brian W. Gary which was propogated to other distribution services.

*References*

https://packetstormsecurity.com/files/101697/Secunia-Security-Advisory-44674.html
https://www.exploit-db.com/exploits/35799
https://www.mageni.net/vulnerability/vordel-gateway-directory-traversal-vulnerability-103163
https://vulners.com/openvas/OPENVAS:103163

*Patch/Fix*

This vulnerability has been closed in Vordel Gateway 6.1.0 and later versions