Re: IRM Security Advisory 002: Netware Web Server Source Disclosure

From: eNowak IGF remote (nowak@rz.uni-frankfurt.de)
Date: 12/20/01

• Previous message: Tomasz Polus: "Windows XP security concerns"
• Maybe in reply to: IRM Security Advisories: "IRM Security Advisory 002: Netware Web Server Source Disclosure"
• Next in thread: Ulf Harnhammar: "Re: IRM Security Advisory 002: Netware Web Server Source Disclosure"
• Next in thread: Matthew Firth: "Re: IRM Security Advisory 002: Netware Web Server Source Disclosure"
• Reply: Ulf Harnhammar: "Re: IRM Security Advisory 002: Netware Web Server Source Disclosure"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 20 Dec 2001 01:45:00 +0200
From: eNowak IGF remote <nowak@rz.uni-frankfurt.de>
To: bugtraq@securityfocus.com

The given example
 
http://10.0.25.5/lcgi/sewse.nlm?sys:/novonyx/suitespot/docs/sewse/viewcode.jse+httplist+httplist/../../../../../system/autoexec.ncf

results in

      "Cannot read from insecure path."

according to viewcode.jse code fragment:

      // only read file which is under the secure sewse path -- hence filtering ".."
      if ((argv[i]).indexOf("..") != -1)
      { return "Cannot read from insecure path."; }

System: NW5.1sp3
sys:/novonyx/suitespot/docs/sewse/viewcode.jse of 03/12/01.

Workarounds:
~~~~~~~~~~~~
Apply service pack, latest version out since 5 months!

Greetings
E.N.

--
---------------------------------------------------------
Eberhard Nowak, JWG-Universitaet, Hochschulrechenzentrum
Grueneburgplatz 1, 60629 Frankfurt, Germany
Phone : +49 69 798-33198          Fax: +49 69 798-28313
E-mail: nowak@rz.uni-frankfurt.de
>>> IRM Security Advisories<advisories@irmplc.com> 19.12.2001  12:44 >>>
>demonstrate the flexibility and features of the product. However, one
>sample page uses a Netware Loadable Module (NLM) called sewse.nlm to
>call a script called viewcode.jse. The viewcode.jse file is designed to
>be used to display the source code of sample files called httplist.htm
>and httplist.jse. These file names are passed as parameters to the NLM
>through a URL such as (URL may wrap):
>
>http://10.0.25.5/lcgi/sewse.nlm?sys:/novonyx/suitespot/docs/sewse/viewcode.jse+httplist/httplist.htm+httplist/httplist.jse 
>
>The application checks the files being requested by requiring that the
>httplist directory is specified in the path to the files to be viewed.
>However, it is possible to traverse directories using /../ after
>httplist. The sewse.nlm module runs with sufficient permissions whereby
>it possible to traverse to any file on the file system and view the contents.
>There are many files that may be of interest to an attacker and these
>include:[...]
>
>Workarounds:
>~~~~~~~~~~~~
>A workaround involves removing all sample web pages and sample NLMs.[...]

---

• Previous message: Tomasz Polus: "Windows XP security concerns"
• Maybe in reply to: IRM Security Advisories: "IRM Security Advisory 002: Netware Web Server Source Disclosure"
• Next in thread: Ulf Harnhammar: "Re: IRM Security Advisory 002: Netware Web Server Source Disclosure"
• Next in thread: Matthew Firth: "Re: IRM Security Advisory 002: Netware Web Server Source Disclosure"
• Reply: Ulf Harnhammar: "Re: IRM Security Advisory 002: Netware Web Server Source Disclosure"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)