Bugtraq mailing list archives
IBM Net.Data Local Path Disclosure Vulnerability?
From: Chad Kalmes <chad.j.kalmes () US ARTHURANDERSEN COM>
Date: Tue, 28 Nov 2000 16:45:58 -0000
Not sure if this is exactly a new issue or not, but IBM's Net.Data package (often used in conjuction with NetCommerce3 and db2www) will disclose the local path of server files if fed improper requests. This software is in use on a variety of sites, including several online-shopping locales. Example (from IBM's own pages): By issuing a /report request from the document.d2w file, the db2www package builds and displays the proper HTML page, as requested. VALID CALL: http://www-4.ibm.com/cgi- bin/db2www/library/document.d2w/report? uid=UNKNOWN&pwd=&search_type=SIMPLE&r_hos t=&last_page=db2www0022.html&fn=db2www.html# ToC YIELDS: Proper web page. However, by issuing a bad /show request (or /garbarge, /whatever, etc.), the package outputs an error message showing the local path to the d2w macro file, assuming no valid /show function exists within the .d2w file. INVALID CALL: http://www-4.ibm.com/cgi- bin/db2www/library/document.d2w/show YIELDS: DTWP029E: Net.Data is unable to locate the HTML block SHOW in file /projects/www/netdata/macro/software/library/doc ument.d2w. While not a security problem per se, it still yields increased information about the local host system. This 'feature' or 'flaw' is present on both *NIX and WIN versions of the software (unsure about OS2) and every instance I've found on the Internet is subject to this disclosure. Path disclosure vulnerabilities have been highlighted in other packages, so I figured I'd point this one out as well. There may be a debugging switch or custom error message that could be turned on/off that would prevent the output of the Net.Data error to the end user, but I am somewhat unfamiliar with the specifics of the available software/server configuration. IBM was contacted on 11/27 with an inquiry regarding any ways to prevent this but responded only with a form e-mail linking to a website which offered no support or further contact information without purchasing premium support. ck
Current thread:
- IBM Net.Data Local Path Disclosure Vulnerability? Chad Kalmes (Nov 29)