[NEWS] GroupWise WebAccess File Disclosure (GWAPACHE.CONF)

• Previous message: SecuriTeam: "[NEWS] OpenSSL NULL Pointer Assignment and Kerberos Ciphersuites Out-of-bounds"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 17 Mar 2004 19:26:12 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  GroupWise WebAccess File Disclosure (GWAPACHE.CONF)
------------------------------------------------------------------------

SUMMARY

Novell has identified an issue with the default configuration of GroupWise
6 and 6.5 WebAccess that could allow unauthorized access to the WebAccess
server. This issue affects only systems running GroupWise 6 or 6.5
WebAccess on NetWare using the Apache 1.3x web server and where Apache is
loaded using the GWAPACHE.CONF file. Customers using a different web
server (such as Novell Enterprise or Apache 2) should not be affected.

DETAILS

Vulnerable Systems:
 * Apache Web Server 1.3x for NetWare
 * Novell GroupWise 6
 * Novell GroupWise 6 WebAccess
 * Novell GroupWise 6.5
 * Novell GroupWise 6.5 WebAccess
 * Novell NetWare 6.0

Fix:
To prevent unauthorized access to a GroupWise WebAccess server, you can
edit the permissions section of the GWAPACHE.CONF file just under where
the DocumentRoot is specified:

By default, that section reads:
# First, we configure the "default" to be a very restrictive set of
# permissions.
#
<Directory "/">
    Options FollowSymLinks
    AllowOverride None
</Directory>

That section should read:
<Directory "/">
    Options FollowSymLinks
    AllowOverride None
    Order deny,allow
    deny from all
</Directory>

To resolve this issue, you can perform a full installation of the most
recent field-test file for 6.5 SP2 WebAccess (FWA652E.EXE or later), which
is available from <http://support.novell.com/filefinder>
http://support.novell.com/filefinder.

ADDITIONAL INFORMATION

The original article can be found at:
<http://support.novell.com/cgi-bin/search/searchtid.cgi?/10091330.htm>
http://support.novell.com/cgi-bin/search/searchtid.cgi?/10091330.htm

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NEWS] OpenSSL NULL Pointer Assignment and Kerberos Ciphersuites Out-of-bounds"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]