CA ERwin Web Portal Directory Traversal

May 30, 2014

The CA ERwin Web Portal is a simple, customizable, web-based interface that helps users to visualize the important metadata information that is stored in CA ERwin Data Modeler. It allows easy access to information via the web, with a variety of presentation and search formats to cater to a wide range of user types in the organization. The interface serves HTTP requests on port TCP/19980.

CA ERwin Web Portal provides users the ability to download XML configuration files from default configuration directory fulfilled by ConfigServiceProviderServlet servlet on the server. The following is definition of this servlet:

  ConfigServiceProvider MITI.mimbagent.ConfigServiceProviderServlet 3  

A directory traversal vulnerability exists in CA ERwin Web Portal. The vulnerable code fails to properly sanitize the ".." directory traversal pattern in the user supplied data. This allows an attack to create/overwrite XML files outside the designed content folder, which can lead to security restriction bypassing and possibly remote code execution.

Dell SonicWALL threat team has researched this vulnerability and released the following IPS signature for it.

  • IPS:3865 CA ERwin Web Portal Directory Traversal 3

This vulnerability is referred by CVE as CVE-2014-2210.