<<<mass snippage>>> >1. The help argument in GWWEB.EXE reveal full web path on the server >2. anyone can read a .htm file on the system with the GWWEB.EXE and >the HELP agument. >by sending http://server/cgi-bin/GW5/GWWEB.EXE?HELP=../../../../../index >You will see the main web site interface. <<<end mass snippage>>> The above example will vary based on how your Web server is set up. The exact path listed above did not work for me, but modifying it to match my server set up did. Note that testing was done on NetWare 4.11 SP6 The vulnerability will also show the contents of .html files, but not .shtml Possible workaround: Change extension to .shtml - these are not shown Possible workaround: For each Web page, have two separate pages with the same name - one with .htm extension and one with .html extension. Use .htm for the pages with real content. When two pages with the same name, but these different extensions exist, this vulnerability will show .html instead of .htm. Possible workaround: Turn off WebAccess until Novell fixes it. Possible (recommended) solution: Use separate server for Web pages and GroupWise WebAccess. Apache seems to be a good choice... haven't seen it for NetWare though. Note that this DOES show pages that are in areas normally requiring authentication, without requiring such authentication, therefore making it a security risk. Relative-path links from this page will be broken; absolute paths will (of course) work normally. If you don't have any areas of the site that require authentication, this problem doesn't matter. Also - after deleting the page entirely from the server, and accessing it from another computer that did not have it in cache, I was still able to access the now non-existing page. I assume it's still in the server's cache... (I even purged it and still accessed it) Shift-reload did not change anything. Brian
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:22:06 PDT