iPlanet Calendar Server May Disclose Administrator Name and Password to Local Users
SecurityTracker Alert ID: 1001356|
SecurityTracker URL: http://securitytracker.com/id/1001356
(Links to External Site)
Date: Apr 18 2001
Disclosure of authentication information|
Exploit Included: Yes |
It is reported that the default installation of the iPlanet Calendar Server stores the NAS LDAP admin username and password in plaintext in a world readable file, allowing local users to gain administrator access to the calendar server.|
The file used is:
-rw-r--r-- 1 icsuser icsgroup 37882 Feb 20 10:18 /opt/SUNWics5/cal/bin/config/ics.conf
The authentication data is stored in the following fields:
This reportedly could give a local user full read/write access to the underlying NAS LDAP database (which is normally used for admin facilities such as storing user / group profiles, passwords, ACLs, SSL certificates and/or other sensitive company information), and full administrative control of the local NAS server.
The vendor has reportedly been notified.
A local user could gain read/write access to the LDAP database.|
No solution was available at the time of this entry.|
Vendor URL: www.iplanet.com/ (Links to External Site)
|Underlying OS: UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT)|
Source Message Contents
Subject: iplanet calendar server 5.0p2 exposes Netscape Admin Server|
at the time of writing, 5.0p2 is the currently available revision on
iplanet's download site.
the standard install of iPlanet Calendar server stores the NAS LDAP
admin username and password in plaintext in the world readable file:
-rw-r--r-- 1 icsuser icsgroup 37882 Feb 20 10:18
in the fields
this potentially gives all local users full read/write access to the
underlying NAS LDAP database (which is normally used for admin
facilities such as storing user / group profiles, passwords, ACLs, SSL
certificates and/or other sensitive company information), and full
administrative control of the local NAS server. this access could in
turn lead to compromise of other facilities such as web/e-commerce
sites, directories etc.
i believe that the default install of the underlying NAS LDAP server and
associated administration packages allow remote admin via tcp/ip, so
other remote compromises that allow reading of world readable files (or
any other disclosures of the above file contents) could lead to full
remote read/write access of the NAS LDAP database and full remote
administrative control of the server.
this was reported to iplanet at the end of february 2001, who requested
i submit it to netscape's online bug-tracking system which i did on 3rd
march. i have heard nothing from them since. i have not personally
investigated or tested any fix for this.
Adam Laurie Tel: +44 (20) 8742 0755
A.L. Digital Ltd. Fax: +44 (20) 8742 5995
Voysey House http://www.thebunker.net
Barley Mow Passage http://www.aldigital.co.uk
London W4 4GB mailto:email@example.com
UNITED KINGDOM PGP key on keyservers