Bugtraq mailing list archives
Groupewise Web Interface
From: sfaust () HARTCO COM (Sacha Faust Bourque)
Date: Sun, 19 Dec 1999 18:08:00 -0500
Problems found with GroupeWise web server ( Novell was contacted 3 weeks ago and no reply ) ----------------------------------------------------------------- 1. The help argument in GWWEB.EXE reveal full web path on the server 2. anyone can read a .htm file on the system with the GWWEB.EXE and the HELP argument. Example: 1. ( full web server path ) By sending http://server/cgi-bin/GW5/GWWEB.EXE?HELP=bad-request the server will reply Could not find file SYS:WEB\CGI-BIN\GW5\US\HTML3\HELP\BAD-REQUEST.HTM 2. ( read any .htm file ) by sending http://server/cgi-bin/GW5/GWWEB.EXE?HELP=../../../../../index ( refering to the path returned in the previous example ). You will see the main web site interface. We did some intensive test with the HELP trying to get rid of the .htm that it happens and we were unable to get rid of it. We are currently testing other arguments sent to GWWEB.EXE. This was tested on GroupWise 5.2 and 5.5 . This was found by Laurent Hollo and me. Sacha Faust Bourque sfaust () hartco com
Current thread:
- Re: sshd1 allows unencrypted sessions regardless of server policy, (continued)
- Re: sshd1 allows unencrypted sessions regardless of server policy Michael H. Warfield (Dec 14)
- Re: sshd1 allows unencrypted sessions regardless of server policy Pavel Machek (Dec 14)
- Re: sshd1 allows unencrypted sessions regardless of server policy Joseph Moran (Dec 14)
- Re: sshd1 allows unencrypted sessions regardless of server policy David Schwartz (Dec 15)
- SSH-1.2.27 & RSAREF2 exploit Iván Arce (Dec 14)
- SSH 1 Why? Daniel P. Zepeda (Dec 14)
- Re: SSH 1 Why? Emiliano Kargieman (Dec 15)
- Re: SSH 1 Why? Emiel Kollof (Dec 15)
- Re: SSH 1 Why? Iván Arce (Dec 16)
- Re: SSH 1 Why? R. J. Wysocki (Dec 18)
- Groupewise Web Interface Sacha Faust Bourque (Dec 19)
- Re: Groupewise Web Interface Raymond Dijkxhoorn (Dec 20)
- Re: Groupewise Web Interface Bayard G. Bell (Dec 21)
- Announcement: Solaris loadable kernel module backdoor plasmoid (Dec 20)
- Re: Announcement: Solaris loadable kernel module backdoor pedward () WEBCOM COM (Dec 21)
- Re: Announcement: Solaris loadable kernel module backdoor Marc Esipovich (Dec 22)
- Re: Announcement: Solaris loadable kernel module backdoor Steven Alexander (Dec 23)
- Re: Announcement: Solaris loadable kernel module backdoor Rainer Link (Dec 22)
- Re: Announcement: Solaris loadable kernel module backdoor Keith Owens (Dec 22)
- Re: Groupewise Web Interface satherrl () MAILPOINT DSSRG CURTIN EDU AU (Dec 21)
- Norton Email Protection Remote Overflow (Addendum) Matt Conover (Dec 20)