The given example http://10.0.25.5/lcgi/sewse.nlm?sys:/novonyx/suitespot/docs/sewse/viewcode.jse+httplist+httplist/../../../../../system/autoexec.ncf results in "Cannot read from insecure path." according to viewcode.jse code fragment: // only read file which is under the secure sewse path -- hence filtering ".." if ((argv[i]).indexOf("..") != -1) { return "Cannot read from insecure path."; } System: NW5.1sp3 sys:/novonyx/suitespot/docs/sewse/viewcode.jse of 03/12/01. Workarounds: ~~~~~~~~~~~~ Apply service pack, latest version out since 5 months! Greetings E.N. -- --------------------------------------------------------- Eberhard Nowak, JWG-Universitaet, Hochschulrechenzentrum Grueneburgplatz 1, 60629 Frankfurt, Germany Phone : +49 69 798-33198 Fax: +49 69 798-28313 E-mail: nowakat_private-frankfurt.de >>> IRM Security Advisories<advisoriesat_private> 19.12.2001 12:44 >>> >demonstrate the flexibility and features of the product. However, one >sample page uses a Netware Loadable Module (NLM) called sewse.nlm to >call a script called viewcode.jse. The viewcode.jse file is designed to >be used to display the source code of sample files called httplist.htm >and httplist.jse. These file names are passed as parameters to the NLM >through a URL such as (URL may wrap): > >http://10.0.25.5/lcgi/sewse.nlm?sys:/novonyx/suitespot/docs/sewse/viewcode.jse+httplist/httplist.htm+httplist/httplist.jse > >The application checks the files being requested by requiring that the >httplist directory is specified in the path to the files to be viewed. >However, it is possible to traverse directories using /../ after >httplist. The sewse.nlm module runs with sufficient permissions whereby >it possible to traverse to any file on the file system and view the contents. >There are many files that may be of interest to an attacker and these >include:[...] > >Workarounds: >~~~~~~~~~~~~ >A workaround involves removing all sample web pages and sample NLMs.[...]
This archive was generated by hypermail 2b30 : Thu Dec 20 2001 - 14:02:07 PST