Re: Groupwise Web Interface

[eckma009 () UMN EDU (Brian)]

<<<mass snippage>>>

> 1. The help argument in GWWEB.EXE reveal full web path on the server
> 2. anyone can read a .htm file on the system with the GWWEB.EXE and
> the HELP agument.

> by sending http://server/cgi-bin/GW5/GWWEB.EXE?HELP=../../../../../index
> You will see the main web site interface.

<<<end mass snippage>>>

The above example will vary based on how your Web server is set up.
The exact path listed above did not work for me, but modifying it
to match my server set up did. Note that testing was done on NetWare 4.11 SP6

The vulnerability will also show the contents of .html files, but not .shtml

Possible workaround: Change extension to .shtml - these are not shown

Possible workaround: For each Web page, have two separate pages with
the same name - one with .htm extension and one with .html extension. Use
.htm for the pages with real content. When two pages with the same name,
but these different extensions exist, this vulnerability will show .html
instead
of .htm.

Possible workaround: Turn off WebAccess until Novell fixes it.

Possible (recommended) solution: Use separate server for Web pages and
GroupWise WebAccess. Apache seems to be a good choice... haven't seen it
for NetWare though.

Note that this DOES show pages that are in areas normally requiring
authentication, without requiring such authentication, therefore making it
a security risk. Relative-path links from this page will be broken; absolute
paths will (of course) work normally.
If you don't have any areas of the site that require authentication, this
problem doesn't matter.

Also - after deleting the page entirely from the server, and accessing it
from another computer that did not have it in cache, I was still able to
access the now non-existing page. I assume it's still in the server's
cache... (I even purged it and still accessed it)  Shift-reload did not
change anything.

Brian