Bugtraq mailing list archives

BoS: * SECURITY ALERT * (fwd)

From: Mark_W_Loveless () smtp bnr com (Mark_W_Loveless () smtp bnr com)
Date: Thu, 4 Jul 1996 02:33:45 -0500


     Yes out of the box it is insecure. However in a random sampling of 10
     sites there was 1 site that restricted using ../ so (I assume) that by
     using Novell's security you CAN restrict this bug. However you can
     access files like AUTOEXEC.NCF, and even login scripts in the hidden
     _NETWARE directory (if you know the name).

     It does appear you are restricted to the SYS: volume, however if you
     are using XCONSOLE and have your remote console password in plaintext
     (instead of encrypted) you are just inviting someone to telnet to the
     server console....

     Mark_W_Loveless () smtp bnr com
     Opinions are my own, not my employer's


______________________________ Reply Separator _________________________________
Subject: BoS: *** SECURITY ALERT *** (fwd)
Author:  best-of-security () suburbia net at internet
Date:    7/3/96 9:41 PM


---------- Forwarded message ----------
Date: Wed, 3 Jul 1996 14:50:06 -0700 (PDT)
From: TTT Group <ttt () broder com>
Subject: *** SECURITY ALERT ***

I spent some time exploring Novell's HTTP server and out of the box
there is a CGI that is VERY VERY INSECURE!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
If you are running the Novell HTTP server, please disable the CGI's
it comes with it until you understand (fully understand) what the
security risks are.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

The CGI in question is convert.bas (yes, cgi's in basic, stop laughing).
(There may be more CGI's in the scripts dir that can be exploited
but this was all I could stomoch.)

A remote user can read any file on the remote file system using
this CGI.  This means that if you are running the Novell HTTP
server and have the 'out of box' CGI's, you are breached.
Exploit code:
http://victim.com/scripts/convert.bas?../../anything/you/want/to/view

I was going to see how bad this threat was by connecting to
www servers, testing for "Novell HTTP" in the HTTP server responce
BUT WHY DO THAT WHEN YOU HAVE www.altavista.digital.com :-)
+links:scripts/convert.bas
will return you all the sites that can be breached.

PLEASE PLEASE PLEASE don't open the box and put machine on the
Internet.  I am getting tired of this kind of stuff.
Who the hell did Novell consult with to write these darn CGI's?
It makes me sad.

- --blast

------------------------------

Current thread:

Solaris mailx hole Marc Mosko/jfrank/us (Jun 30)
- Re: Solaris mailx hole Andy Dills (Jul 01)
  - Re: Solaris mailx hole Casper Dik (Jul 02)
    - Re: Solaris mailx hole Andy Dills (Jul 02)
    - CD4300 series BUG DANIEL .D .EZEKIEL (Jul 02)
  - Re: BoS: Re: Solaris mailx hole Travis Hassloch x231 (Jul 02)
  - Re: Solaris mailx hole Dave Roberts (Jul 03)
    - Re: Solaris mailx hole Andy Dills (Jul 03)
    - [8lgm]-Advisory-26.UNIX.rdist.20-3-1996 [Forwarded e-mail from Jeff Uphoff (Jul 03)
    - BoS: *** SECURITY ALERT *** (fwd) Michael Brennen (Jul 03)
    - BoS: *** SECURITY ALERT *** (fwd) Mark_W_Loveless () smtp bnr com (Jul 04)
    - IIS bug test Paolo Taraboi (Jul 04)
    - IMAPD security problems ? Zvi Bar-Deroma (Jul 04)
    - Re: IMAPD security problems ? Ian MacPhedran (Jul 04)
- <Possible follow-ups>
- Re: Solaris mailx hole Josef Buergler (Jul 02)
- Re: Solaris mailx hole Rick Otten (Jul 03)