[20305] in bugtraq
iplanet calendar server 5.0p2 exposes Netscape Admin Server
daemon@ATHENA.MIT.EDU (Adam Laurie)
Wed Apr 18 16:18:32 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <3ADD9E2B.E55A3E76@algroup.co.uk>
Date: Wed, 18 Apr 2001 15:01:15 +0100
Reply-To: Adam Laurie <adam@ALGROUP.CO.UK>
From: Adam Laurie <adam@ALGROUP.CO.UK>
To: BUGTRAQ@SECURITYFOCUS.COM
at the time of writing, 5.0p2 is the currently available revision on
iplanet's download site.
the problem:
the standard install of iPlanet Calendar server stores the NAS LDAP
admin username and password in plaintext in the world readable file:
-rw-r--r-- 1 icsuser icsgroup 37882 Feb 20 10:18
/opt/SUNWics5/cal/bin/config/ics.conf
in the fields
local.authldapbinddn (username)
and
local.authldapbindcred (password)
this potentially gives all local users full read/write access to the
underlying NAS LDAP database (which is normally used for admin
facilities such as storing user / group profiles, passwords, ACLs, SSL
certificates and/or other sensitive company information), and full
administrative control of the local NAS server. this access could in
turn lead to compromise of other facilities such as web/e-commerce
sites, directories etc.
i believe that the default install of the underlying NAS LDAP server and
associated administration packages allow remote admin via tcp/ip, so
other remote compromises that allow reading of world readable files (or
any other disclosures of the above file contents) could lead to full
remote read/write access of the NAS LDAP database and full remote
administrative control of the server.
this was reported to iplanet at the end of february 2001, who requested
i submit it to netscape's online bug-tracking system which i did on 3rd
march. i have heard nothing from them since. i have not personally
investigated or tested any fix for this.
enjoy,
Adam
--
Adam Laurie Tel: +44 (20) 8742 0755
A.L. Digital Ltd. Fax: +44 (20) 8742 5995
Voysey House http://www.thebunker.net
Barley Mow Passage http://www.aldigital.co.uk
London W4 4GB mailto:adam@algroup.co.uk
UNITED KINGDOM PGP key on keyservers
