[UNIX] Critical Path inJoin Directory Server Web Traversal Issue

From: support@securiteam.com
Date: 05/12/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sun, 12 May 2002 14:53:13 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Critical Path inJoin Directory Server Web Traversal Issue
------------------------------------------------------------------------

SUMMARY

This advisory documents a web traversal vulnerability in the Web-based
administrator interface, named iCon, of the
<http://www.cp.net/solutions/index.html> inJoin Directory Server that
allows an attacker with the correct username and password to read any file
accessible to the ids user.

DETAILS

Vulnerable systems:
 * Critical Path inJoin V4.0 Directory Server under Solaris 2.8

Immune systems:
 * Critical Path inJoin version 4.1.4.7

The administrative web server, iCon, listens on TCP port 1500, and runs
under the ids account. By connecting to this port using a web browser and
entering a correct administrator username and password, an operator can
remotely administer the Directory Server and view log entries. The URL
used to view log entries is of the form.
  http://ip:1500/CONF&LOG=iCon.err&NOIH=no&FRAMES=y

The value of the file= parameter refers to a file named iCon.err.
Unfortunately, no checks are performed on the location of this value.
Therefore, an authenticated user can replace the file= parameter with the
absolute path to a filename and read the contents. For example, the
following request returns the /etc/passwd file,
  http://ip:1500/CONF&LOG=/etc/passwd&NOIH=no&FRAMES=y

Only those files that can be read by the ids account are accessible. For
example, by default, /etc/shadow cannot be retrieved. Testing confirmed
that the attack is not successful without the correct administrator
username and password.

Vendor Response
Critical Path Inc:
"Critical Path was contacted on April 30, 2002 and has implemented
preventative fixes for this issue. A maintenance release to be known as
iCon 4.1.4.7 will be posted on the Critical Path support website at
http://support.cp.net, which is available to supported customers. This
will be within the next few weeks, dependent upon other fixes that need to
be made available in this maintenance release."

Solution/Workaround:
Filter TCP port 1500 at the border to prohibit public access to the
Directory Server's administrative interface.

Use a strong password on the Directory Server administrator account and
change regularly. Distribute the password to only Directory Server
administrators.

Modify permissions on sensitive files to prohibit access by the ids user.

Though administration of the Directory Server over SSL is currently not
supported, Critical Path recommends the use of VPN software to mitigate
the risk of disclosure of the administrator username and password. The
next major release of the Critical Path Directory Server will features
SSL-enablement of the web-based management interface.

ADDITIONAL INFORMATION

The information has been provided by <mailto:advisories@nmrc.org>
Information Anarchy 2K01.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages