Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Web Server/CGI)  >   Tarantella Vendors:   Tarantella, Inc.
Tarantella Application Web Server Discloses Files on the Server to Remote Users
SecurityTracker Alert ID:  1001779
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 19 2001
Impact:   Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  

Description:   A vulnerability has been reported in the Tarantella application server that lets remote users obtain files located anywhere on the server.

The vunerability reportedly resides in the ttawebtop.cgi module.

If a remote user issues the following type of example URL, the server will return the world-readable password file:


If a remote user attempts to retrieve a file that is not readable by the web server, it will return a 'file missing' error message, as shown below:


File missing

The following file could not be found:


The vendor has reportedly been notified.

Impact:   A remote user can obtain world-readable files located anywhere from the server.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Caldera/SCO), Linux (Red Hat Linux), Linux (SuSE), Linux (Turbo Linux), UNIX (AIX), UNIX (HP/UX), UNIX (Open UNIX-SCO), UNIX (Solaris - SunOS), UNIX (Tru64)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Vendor Has Fixed This Issue) Re: Tarantella Application Web Server Discloses Files on the Server to Remote Users
The vendor announces that they have fixed the problem. The vendor reports on which versions were vulnerable.

 Source Message Contents

Subject:  SCO Tarantella Remote file read via ttawebtop.cgi

SCO has been notified of this issue. 

-------- Original Message --------
Subject: SCO Tarantella Remote file read via ttawebtop.cgi
Date: Mon, 18 Jun 2001 13:06:41 -0400
From: KF <>


root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin: adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd: sync:x:5:0:sync:/sbin:/bin/sync

No perms to shadow... 


File missing

The following file could not be found:


 Please give this information to a Tarantella Administrator.



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC