During a recent security scan, it was discovered that files within the webMethods installation directory could be edited via the WxConfig UI page. As you know, WxConfig is primarily used to manage environment-specific configuration files and provides a UI to view and edit these files.

The concern is that the UI allows manipulation of file names through browser developer tools (e.g., using Inspect Element and tampering with the request URL). This behavior potentially exposes the system to unauthorized access and modification of files beyond the intended scope.

Observed Behavior:

• By default, WxConfig UI has access to configuration files under the path:
  .../IntegrationServer/instances/default/packages/<packageName>/config/*.cnf
• However, using browser tools, it is possible to alter the file path in the request and gain access to sensitive files under:
  .../IntegrationServer/instances/default/
  such as startup.sh or custom_wrapper.conf, and edit them via the UI.

Could anyone advise on how this behavior can be restricted or mitigated within the WxConfig implementation?
Any best practices or configuration changes to limit file access strictly to intended directories would be greatly appreciated.

I don't have access to the WxConfig package, but it seems like a tool for administrators only. Do the package's services have the Administrator ACL? 

Users who are logged in with that ACL already have powerful access to the file system with various other built-in services.