UPDATED Researchers say that HCL Digital Experience (DX), a platform for creating and administering online portals, contains several vulnerabilities that might lead to remote code execution (RCE).
According to a blog post published by Australian attack surface management firm Assetnote, the vendor, HCL Technologies, initially indicated it couldn’t duplicate the problems, which were all server-side request forgery (SSRF) flaws.
On December 30, five days after Assetnote’s disclosure, HCL Software, a division of HCL Technologies, issued a security advisory with remedies for an SSRF bug credited to Shah and a related inefficient regular expression vulnerability.
“It’s our policy to share as soon as remediation/mitigation is possible,” Brian Blackshaw, director of PSIRT Operations at HCL Software, told The Daily Swig.
WebSphere Portal is a service provided by IBM.
Until HCL Technologies, an Indian IT conglomerate, bought the product from IBM in 2019, it was known as WebSphere Portal and Web Content Manager.
The New York State Senate, the Bank of Canada, and MidMichigan Health are among the platform’s users, according to HCL Technologies.
Around 3,000 internet-facing instances of the platform were discovered by Assetnote researchers.
According to Assetnote, the vulnerabilities affect Websphere Portal 9 and perhaps newer releases.
‘Extremely naive,’ says the author.
The researchers “turned a restrictive, bad SSRF into a good SSRF” after discovering an endpoint that allowed them to redirect requests to an arbitrary URL, smuggle this “redirect gadget” into the original SSRF payload, and open a diagram in a new tab, according to Shubham Shah, co-founder and CTO of Assetnote.
Shah said the researchers “discovered something that seemed really stupid and frankly, we couldn’t understand why it existed in the first place” after viewing the source code: a web proxy system that was enabled by default but limited to a few “trusted” sites.
