[NEWS] Multiple Vulnerabilities in GroupWise Webaccess and NetWare Web Server

From: support@securiteam.com
Date: 08/25/01


From: support@securiteam.com
To: list@securiteam.com
Subject: [NEWS] Multiple Vulnerabilities in GroupWise Webaccess and NetWare Web Server
Message-Id: <20010825112202.2452A138BF@mail.der-keiler.de>
Date: Sat, 25 Aug 2001 13:22:02 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Multiple Vulnerabilities in GroupWise Webaccess and NetWare Web Server
------------------------------------------------------------------------

SUMMARY

Novell Netware web server and the GroupWise web access contain multiple
vulnerabilities that allow gaining sensitive information on the server
(directory listing, and NDS tree enumeration).

DETAILS

Vulnerable systems:
NetWare Enterprise Web Server 5.1
GroupWise Webaccess 5.5

Issue #1 - Information Leak
When NDS browsing via the web server is enabled, any attacker that can
reach the server's port 80 can also enumerate information such as user
names, group names, and other system information.

The default location for gaining this information is
http://server/lcgi/ndsobj.nlm, which will allow the enumeration if NDS
browsing is enabled.

This is not specifically a GroupWise problem, but Webaccess can
"intensify" the leakage, as it allows more objects to browse. This is
simply a new flavor on an old problem (see
<http://www.nmrc.org/advise/nds1.txt> http://www.nmrc.org/advise/nds1.txt
and <http://razor.bindview.com/publish/advisories/adv_novellleak.html>
http://razor.bindview.com/publish/advisories/adv_novellleak.html for
additional information).

Mitigation for Issue #1
The NDS browser is disabled by default, which is good. If enabled, you can
disable it by performing the following steps from the WEBMGR utility:

  1. Click File.
  2. Click Select Server and select the appropriate server.
  3. Select the \WEB directory on the drive that is mapped to the server
and click OK.
  4. Uncheck the Enable NDS browsing check box and click OK.
  5. Click Save and Restart.
  6. Enter the Web Server password and click OK.

Alternately you can remove [Public] read access from the root of the NDS
tree(s), which will keep everyone, including internal non-authenticated
users from browsing your internal tree.

Solution/Workaround for Issue #1
Awaiting an official response from Novell, including acknowledgement of
the problem. They were notified a few months ago.

Issue #2 - Directory Listing
Poor handling of GET commands will allow GroupWise Webaccess servers to
display indexes of the directories instead of HTML files.

Basically, instead of issuing a "GET / HTTP/1.1" from NetCat against port
80 on the target system, using "get / http/1.1" causes a directory listing
to be displayed if indexing of directories is allowed, instead of a 501 or
502 error when indexing of directories is disallowed.

Mitigation for Issue #2
Unknown; possibly disabling indexing of directories on the web server.

Solution/Workaround for Issue #2
Awaiting an official response from Novell, including acknowledgement of
the problem. They were notified a few months ago.

ADDITIONAL INFORMATION

The information has been provided by <mailto:thegnome@nmrc.org> Simple
Nomad.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.