Bugtraq mailing list archives
BoS: *** SECURITY ALERT *** (fwd)
From: Mark_W_Loveless () smtp bnr com (Mark_W_Loveless () smtp bnr com)
Date: Thu, 4 Jul 1996 02:33:45 -0500
Yes out of the box it is insecure. However in a random sampling of 10 sites there was 1 site that restricted using ../ so (I assume) that by using Novell's security you CAN restrict this bug. However you can access files like AUTOEXEC.NCF, and even login scripts in the hidden _NETWARE directory (if you know the name). It does appear you are restricted to the SYS: volume, however if you are using XCONSOLE and have your remote console password in plaintext (instead of encrypted) you are just inviting someone to telnet to the server console.... Mark_W_Loveless () smtp bnr com Opinions are my own, not my employer's ______________________________ Reply Separator _________________________________ Subject: BoS: *** SECURITY ALERT *** (fwd) Author: best-of-security () suburbia net at internet Date: 7/3/96 9:41 PM ---------- Forwarded message ---------- Date: Wed, 3 Jul 1996 14:50:06 -0700 (PDT) From: TTT Group <ttt () broder com> Subject: *** SECURITY ALERT *** I spent some time exploring Novell's HTTP server and out of the box there is a CGI that is VERY VERY INSECURE!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! If you are running the Novell HTTP server, please disable the CGI's it comes with it until you understand (fully understand) what the security risks are. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! The CGI in question is convert.bas (yes, cgi's in basic, stop laughing). (There may be more CGI's in the scripts dir that can be exploited but this was all I could stomoch.) A remote user can read any file on the remote file system using this CGI. This means that if you are running the Novell HTTP server and have the 'out of box' CGI's, you are breached. Exploit code: http://victim.com/scripts/convert.bas?../../anything/you/want/to/view I was going to see how bad this threat was by connecting to www servers, testing for "Novell HTTP" in the HTTP server responce BUT WHY DO THAT WHEN YOU HAVE www.altavista.digital.com :-) +links:scripts/convert.bas will return you all the sites that can be breached. PLEASE PLEASE PLEASE don't open the box and put machine on the Internet. I am getting tired of this kind of stuff. Who the hell did Novell consult with to write these darn CGI's? It makes me sad. - --blast ------------------------------
Current thread:
- Solaris mailx hole Marc Mosko/jfrank/us (Jun 30)
- Re: Solaris mailx hole Andy Dills (Jul 01)
- Re: Solaris mailx hole Casper Dik (Jul 02)
- Re: Solaris mailx hole Andy Dills (Jul 02)
- CD4300 series BUG DANIEL .D .EZEKIEL (Jul 02)
- Re: BoS: Re: Solaris mailx hole Travis Hassloch x231 (Jul 02)
- Re: Solaris mailx hole Dave Roberts (Jul 03)
- Re: Solaris mailx hole Andy Dills (Jul 03)
- [8lgm]-Advisory-26.UNIX.rdist.20-3-1996 [Forwarded e-mail from Jeff Uphoff (Jul 03)
- BoS: *** SECURITY ALERT *** (fwd) Michael Brennen (Jul 03)
- BoS: *** SECURITY ALERT *** (fwd) Mark_W_Loveless () smtp bnr com (Jul 04)
- IIS bug test Paolo Taraboi (Jul 04)
- IMAPD security problems ? Zvi Bar-Deroma (Jul 04)
- Re: IMAPD security problems ? Ian MacPhedran (Jul 04)
- Re: Solaris mailx hole Casper Dik (Jul 02)
- Re: Solaris mailx hole Andy Dills (Jul 01)
- <Possible follow-ups>
- Re: Solaris mailx hole Josef Buergler (Jul 02)
- Re: Solaris mailx hole Rick Otten (Jul 03)