Bugtraq mailing list archives
Re: IRM Security Advisory 002: Netware Web Server Source Disclosure
From: eNowak IGF remote <nowak () rz uni-frankfurt de>
Date: Thu, 20 Dec 2001 01:45:00 +0200
The given example http://10.0.25.5/lcgi/sewse.nlm?sys:/novonyx/suitespot/docs/sewse/viewcode.jse+httplist+httplist/../../../../../system/autoexec.ncf results in "Cannot read from insecure path." according to viewcode.jse code fragment: // only read file which is under the secure sewse path -- hence filtering ".." if ((argv[i]).indexOf("..") != -1) { return "Cannot read from insecure path."; } System: NW5.1sp3 sys:/novonyx/suitespot/docs/sewse/viewcode.jse of 03/12/01. Workarounds: ~~~~~~~~~~~~ Apply service pack, latest version out since 5 months! Greetings E.N. -- --------------------------------------------------------- Eberhard Nowak, JWG-Universitaet, Hochschulrechenzentrum Grueneburgplatz 1, 60629 Frankfurt, Germany Phone : +49 69 798-33198 Fax: +49 69 798-28313 E-mail: nowak () rz uni-frankfurt de
IRM Security Advisories<advisories () irmplc com> 19.12.2001 12:44 >>>demonstrate the flexibility and features of the product. However, one sample page uses a Netware Loadable Module (NLM) called sewse.nlm to call a script called viewcode.jse. The viewcode.jse file is designed to be used to display the source code of sample files called httplist.htm and httplist.jse. These file names are passed as parameters to the NLM through a URL such as (URL may wrap): http://10.0.25.5/lcgi/sewse.nlm?sys:/novonyx/suitespot/docs/sewse/viewcode.jse+httplist/httplist.htm+httplist/httplist.jse The application checks the files being requested by requiring that the httplist directory is specified in the path to the files to be viewed. However, it is possible to traverse directories using /../ after httplist. The sewse.nlm module runs with sufficient permissions whereby it possible to traverse to any file on the file system and view the contents. There are many files that may be of interest to an attacker and these include:[...] Workarounds: ~~~~~~~~~~~~ A workaround involves removing all sample web pages and sample NLMs.[...]
Current thread:
- IRM Security Advisory 002: Netware Web Server Source Disclosure IRM Security Advisories (Dec 19)
- Re: IRM Security Advisory 002: Netware Web Server Source Disclosure Matthew Firth (Dec 20)
- <Possible follow-ups>
- Re: IRM Security Advisory 002: Netware Web Server Source Disclosure eNowak IGF remote (Dec 20)
- Re: IRM Security Advisory 002: Netware Web Server Source Disclosure Ulf Harnhammar (Dec 21)
- Re: IRM Security Advisory 002: Netware Web Server Source Disclosure Alun Jones (Dec 21)
- Re: IRM Security Advisory 002: Netware Web Server Source Disclosure Ulf Harnhammar (Dec 21)