Novell NetWare sewse.nlm (allfield.jse) Sample Application Information Disclosure

2002-05-29T22:24:42
ID OSVDB:17462
Type osvdb
Reporter Richard Brain(richard.brain@procheckup.com)
Modified 2002-05-29T22:24:42

Description

Vulnerability Description

Novell NetWare contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when calling sewse.nlm with specific query string values, which will disclose some environment variables and their current values resulting in a loss of confidentiality.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): Remove sample applications prior to placing the server into production.

Short Description

Novell NetWare contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when calling sewse.nlm with specific query string values, which will disclose some environment variables and their current values resulting in a loss of confidentiality.

Manual Testing Notes

http://[target]/lcgi/sewse.nlm? sys:/novonyx/suitespot/docs/sewse/misc/allfield.jse

References:

Vendor URL: http://www.novell.com Vendor Specific Advisory URL Related OSVDB ID: 17463 Related OSVDB ID: 17464 Related OSVDB ID: 17461 Related OSVDB ID: 17465 Related OSVDB ID: 17467 Related OSVDB ID: 17468 Related OSVDB ID: 17466 Other Advisory URL: http://attrition.org/security/advisory/misc/pro2-3.netware_50 Other Advisory URL: http://attrition.org/security/advisory/misc/pro2-1.netware_50-1 Keyword: NetWare Enterprise Web Server ISS X-Force ID: 9212 CVE-2002-1634 CERT VU: 159203 Bugtraq ID: 4874