[2331] in WWW Security List Archive
Re: Which are the security implications of using Novell's Web Server???
daemon@ATHENA.MIT.EDU (Blast)
Sat Jul 6 03:06:48 1996
Date: Fri, 5 Jul 1996 22:15:18 -0700 (PDT)
From: Blast <blast@worldbit.com>
To: owner-www-security@ns2.rutgers.edu
cc: www-security@ns2.rutgers.edu
In-Reply-To: <31DC3241.1714@banamex.com>
Errors-To: owner-www-security@ns2.rutgers.edu
On Thu, 4 Jul 1996, fmora wrote:
> I hope this is not extremely repetitive.
> Which security problems are known to Novell Web Server???
> Thanks in advance for your help!!!
My co-worker and I found a hole that is a part of a CGI
that ships with the Novell Web Server. My point here is that
it is the CGI that is insecure.
Here are the details:
The Novell Web Server ships with CGI programs in a directory
called 'scripts'. The CGI we are focusing on is called
'convert.bas'. It is a CGI written in basic.
The exploit occurs when you use a URL such as
http://misconfigured.org/scripts/convert.cgi?../../any/kind/of/file.sys
where misconfigured.org was unfortunate enough to just install
the Novell Web Server out of the box and trust all the CGI programs.
As you can see, ../.. was used to get to the 'system' directory
where most of the crown jewels on a Novell Server is stored.
Some of the load commands take clear text passwd's as arguments. Yikes!
This should strike anyone on the mailing list here as nothing new.
It is the same type of threat as:
ftp://info.cert.org/pub/cert_advisories/CA-96.11.README
by which the CGI allows files to be disclosed from the attached file systems.
Anyone who has read the
http://www.genome.wi.mit.edu/WWW/faqs/www-security-faq.html
should know that this type of CGI programs are a no-no.
We were quite surprised when a company like Novell would ship
something so insecure. What were they thinking?
We have done our best to notify Novell and CERT. It has been an eye
opener for me.
NOVELL: "Hi, I would like to talk to someone there about
a possible security problem with your Web Server?"
Who do you call? Tech Support? I think not.
CERT: mail cert@cert.org and I get a auto-reply.
It states that only in an emergency should one call. Well,
this is not an emergency for me so I did not call. I will
wait till they decide that this is something they should make public.
***********************please read*******************
If you are running any CGI programs on your web site,
please make sure that you know them better than you know
your mothers voice. :-)
***********************thank you********************
--blast <ttt@broder.com>
<blast@broder.com>
+--------------------------------------------------------------------+
\ Tim Keanini | "The limits of my language, /
/ aka blast | are the limits of my world." \
\ | --Ludwig Wittgenstein /
\ +================================================/
|Key fingerprint = 7B 68 88 41 A8 74 AB EC F0 37 98 4C 37 F7 40 D6 |
/ PUB KEY: http://www-swiss.ai.mit.edu/~bal/pks-commands.html \
\ <blast@worldbit.com> /
+--------------------------------------------------------------------+
