BizTalk360 Directory Traversal Vulnerability Allowing Arbitrary File Read
Vulnerability
A directory traversal vulnerability has been identified in BizTalk360 versions prior to 11.6.3963.2611. This vulnerability arises from improper handling of user-supplied input when constructing file paths, allowing a Super User attacker to read arbitrary files from the server or manipulate authentication with the service. The issue is exacerbated by the fact that the BizTalk360 application runs with high privileges, including local administrator rights on all BizTalk servers and sysadmin access on the MS-SQL database server.
Impact
Exploitation of this vulnerability allows authenticated administrators to read any file on the server or access remote shares, potentially coercing the BizTalk360 service account to the SQL server hosting the application's database.
Reproduction
The vulnerability can be reproduced by sending a POST request to the 'AdminBusinessService' DownloadAttachment handler with an absolute path in the 'attachmentLink' parameter. This will trigger the download of the specified file, bypassing normal access controls.
Remediation
Users are advised to update to BizTalk360 version 11.6.3963.2611 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.