Advisory

Han Sahin, September 2014

Missing access control on Websense Explorer web folder

Abstract

It was discovered that no access control is enforced on the explorer_wse path, which is exposed through the web server. An attacker can abuse this issue to download any file exposed by this path, including security reports and Websense Explorer configuration files.

Tested versions

This issue was discovered on Websense Triton v7.8.3 and Websense appliance modules V-Series v7.7. Other versions may be affected as well.

Fix

This issue is resolved in TRITON APX Version 8.0. More information about the fixed can be found at the following location:
http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0

Introduction

Websense Data Security Suite contains three modules - Data Security Gateway, Data Discover, and Data Endpoint - that can help manage the risk of losing your data to malicious users or accidental misuse.

The Apache server of Websense Data Security has mapped the explorer_wse path to a folder used by Websense for storing generated reports. No access control is enforced on this folder. Files stored in the folder are accessible to unauthenticated user. An attacker can abuse this issue to download any file exposed by this path, including security reports and Websense Explorer configuration files.

Details

When a scheduled report has run, the report file is sent to recipients as an email attachment. Scheduled reports are also saved within explorer_wse, which is accessible for unauthenticated users. This vulnerability allows unauthenticated (proxy) users to download resources from the Websense reporting folder. Including confidential Web Security incidents reports Websense Explorer configuration files. For example:
https://<target>:9443/explorer_wse/Other/1407992150/Securify_1407992150.xls
https://<target>:9443/explorer_wse/websense.ini

Work with us →