[23670] in bugtraq
ezmlm warning
daemon@ATHENA.MIT.EDU (bugtraq-help@securityfocus.com)
Tue Jan 1 11:30:59 2002
Date: 1 Jan 2002 16:30:33 -0000
Message-ID: <1009902633.2255.ezmlm-warn@securityfocus.com>
From: bugtraq-help@securityfocus.com
To: bugtraq-redist@mit.edu
Content-type: text/plain; charset=us-ascii
Hi! This is the ezmlm program. I'm managing the
bugtraq@securityfocus.com mailing list.
I'm working for my owner, who can be reached
at bugtraq-owner@securityfocus.com.
Messages to you from the bugtraq mailing list seem to
have been bouncing. I've attached a copy of the first bounce
message I received.
If this message bounces too, I will send you a probe. If the probe bounces,
I will remove your address from the bugtraq mailing list,
without further notice.
I've kept a list of which messages from the bugtraq mailing list have
bounced from your address.
Copies of these messages may be in the archive.
To retrieve a set of messages 123-145 (a maximum of 100 per request),
send an empty message to:
<bugtraq-get.123_145@securityfocus.com>
To receive a subject and author list for the last 100 or so messages,
send an empty message to:
<bugtraq-index@securityfocus.com>
Here are the message numbers:
2975
--- Enclosed is a copy of the bounce message I received.
Return-Path: <>
Received: (qmail 6761 invoked from network); 21 Dec 2001 01:33:49 -0000
Received: from mail.securityfocus.com (HELO securityfocus.com) (66.38.151.9)
by lists.securityfocus.com with SMTP; 21 Dec 2001 01:33:49 -0000
Received: (qmail 11093 invoked by alias); 21 Dec 2001 01:31:47 -0000
Received: (qmail 7875 invoked from network); 21 Dec 2001 01:31:01 -0000
Received: from outgoing2.securityfocus.com (HELO outgoing.securityfocus.com) (66.38.151.26)
by mail.securityfocus.com with SMTP; 21 Dec 2001 01:31:01 -0000
Received: by outgoing.securityfocus.com (Postfix)
id F22639053C; Thu, 20 Dec 2001 17:34:37 -0700 (MST)
Date: Thu, 20 Dec 2001 17:34:37 -0700 (MST)
From: MAILER-DAEMON@outgoing.securityfocus.com (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: bugtraq-return-2975-bugtraq-redist=mit.edu@securityfocus.com
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="207BF8F32E.1008894866/outgoing.securityfocus.com"
Message-Id: <20011221003437.F22639053C@outgoing.securityfocus.com>
This is a MIME-encapsulated message.
--207BF8F32E.1008894866/outgoing.securityfocus.com
Content-Description: Notification
Content-Type: text/plain
This is the Postfix program at host outgoing.securityfocus.com.
I'm sorry to have to inform you that the message returned
below could not be delivered to one or more destinations.
For further assistance, please send mail to <postmaster>
If you do so, please include this problem report. You can
delete your own text from the message returned below.
The Postfix program
<bugtraq-redist@mit.edu>: host PACIFIC-CARRIER-ANNEX.mit.edu[18.7.21.83] said:
553 beader hobo
--207BF8F32E.1008894866/outgoing.securityfocus.com
Content-Description: Delivery error report
Content-Type: message/delivery-status
Reporting-MTA: dns; outgoing.securityfocus.com
Arrival-Date: Thu, 20 Dec 2001 10:33:19 -0700 (MST)
Final-Recipient: rfc822; bugtraq-redist@mit.edu
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; host PACIFIC-CARRIER-ANNEX.mit.edu[18.7.21.83]
said: 553 beader hobo
--207BF8F32E.1008894866/outgoing.securityfocus.com
Content-Description: Undelivered Message
Content-Type: message/rfc822
Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19])
by outgoing.securityfocus.com (Postfix) with QMQP
id 207BF8F32E; Thu, 20 Dec 2001 10:33:19 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 31711 invoked from network); 20 Dec 2001 01:11:52 -0000
Mime-Version: 1.0
Date: Thu, 20 Dec 2001 01:45:00 +0200
References: 3c0cea6d00002123
X-Mailer: Groupwise 6.0
Message-ID: <20011220T014538Z_B91800000000>
From: eNowak IGF remote <nowak@rz.uni-frankfurt.de>
Subject: Re: IRM Security Advisory 002: Netware Web Server Source Disclosure
To: bugtraq@securityfocus.com
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
The given example
=20
http://10.0.25.5/lcgi/sewse.nlm?sys:/novonyx/suitespot/docs/sewse/viewcode.=
jse+httplist+httplist/../../../../../system/autoexec.ncf
results in
"Cannot read from insecure path."
according to viewcode.jse code fragment:
// only read file which is under the secure sewse path -- hence =
filtering ".."
if ((argv[i]).indexOf("..") !=3D -1)
{ return "Cannot read from insecure path."; }
System: NW5.1sp3
sys:/novonyx/suitespot/docs/sewse/viewcode.jse of 03/12/01.
Workarounds:
~~~~~~~~~~~~
Apply service pack, latest version out since 5 months!
Greetings
E.N.
--
---------------------------------------------------------
Eberhard Nowak, JWG-Universitaet, Hochschulrechenzentrum
Grueneburgplatz 1, 60629 Frankfurt, Germany
Phone : +49 69 798-33198 Fax: +49 69 798-28313
E-mail: nowak@rz.uni-frankfurt.de
>>> IRM Security Advisories<advisories@irmplc.com> 19.12.2001 12:44 >>>
>demonstrate the flexibility and features of the product. However, one
>sample page uses a Netware Loadable Module (NLM) called sewse.nlm to
>call a script called viewcode.jse. The viewcode.jse file is designed to
>be used to display the source code of sample files called httplist.htm
>and httplist.jse. These file names are passed as parameters to the NLM
>through a URL such as (URL may wrap):
>
>http://10.0.25.5/lcgi/sewse.nlm?sys:/novonyx/suitespot/docs/sewse/viewcode=
.jse+httplist/httplist.htm+httplist/httplist.jse=20
>
>The application checks the files being requested by requiring that the
>httplist directory is specified in the path to the files to be viewed.
>However, it is possible to traverse directories using /../ after
>httplist. The sewse.nlm module runs with sufficient permissions whereby
>it possible to traverse to any file on the file system and view the =
contents.
>There are many files that may be of interest to an attacker and these
>include:[...]
>
>Workarounds:
>~~~~~~~~~~~~
>A workaround involves removing all sample web pages and sample NLMs.[...]
--207BF8F32E.1008894866/outgoing.securityfocus.com--
