[NEWS] Novell Groupwise Arbitrary File Retrieval Vulnerability

From: support@securiteam.com
Date: 10/23/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [NEWS] Novell Groupwise Arbitrary File Retrieval Vulnerability
Message-Id: <20011023074915.8EDE5138BF@mail.der-keiler.de>
Date: Tue, 23 Oct 2001 09:49:15 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Novell Groupwise Arbitrary File Retrieval Vulnerability
------------------------------------------------------------------------

SUMMARY

A vulnerability exists with Novell's GroupWise server which allows for the
arbitrary viewing of files anywhere on the system. This includes files
outside of the web root, but on the same volume as the web server.

DETAILS

The Novell GroupWise server has a web-based front-end for users to access
e-mail and other functions of the server. The default login page is
accessed by the URL:

 /servlet/webacc

The webacc usually accesses templates from the "/" directory; however, the
servlet will follow directory path traversal. It is possible to view the
full path of the server install by passing an invalid argument to the
User.html variable:

 /servlet/webacc?User.html=noexist

Which will display the full path of the GroupWise installation.

Arbitrary files can be read by the webacc servlet by passing the
appropriate file name and appending a null character to the string:

 /servlet/webacc?User.html=../../../../../../../../boot.ini%00

Administrators should note that the Groupwise configuration files can be
viewed with this exploit. Care should be taken to limit the amount of
sensitive data within these files.

Proof of concept:
From a browser, make the following URL request:

 
http://server:port/servlet/webacc?User.html=../../../../../../../../boot.ini%00

Solution:
Please contact the vendor for a solution. Customers should obtain upgraded
software by contacting their customer support representative to obtain
patches.

The severity of this vulnerability and vulnerabilities of a similar nature
can be significantly reduced by installing the GroupWise server (or other
application) files on a disk volume separate from the windows system root.

ADDITIONAL INFORMATION

The information has been provided by <mailto:mike.shema@foundstone.com>
Mike Shema of Foundstone, Inc.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages