Novell GroupWise GWWEB.EXE HELP Directory Traversal

1999-12-19T00:00:00
ID OSVDB:3413
Type osvdb
Reporter OSVDB
Modified 1999-12-19T00:00:00

Description

Vulnerability Description

Novell Groupwise contains a vulnerability that allows a remote attacker to read arbitrary files in the web path. The issue is due to a lack of sanity checking for input passed to the HELP variable in the GWWEB.EXE program. By providing a .htm or .html file name and ../../ traversal attack, anyone can view any document within the web server path.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Novell Groupwise contains a vulnerability that allows a remote attacker to read arbitrary files in the web path. The issue is due to a lack of sanity checking for input passed to the HELP variable in the GWWEB.EXE program. By providing a .htm or .html file name and ../../ traversal attack, anyone can view any document within the web server path.

Manual Testing Notes

http://[victim]/cgi-bin/GW5/GWWEB.EXE?HELP=../../../secret.htm

References:

Snort Signature ID: 1165 Snort Signature ID: 1614 Nessus Plugin ID:10877 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/1999-q4/0379.html ISS X-Force ID: 3923 Generic Informational URL: http://www.securiteam.com/exploits/3I5QDQ0QAG.html CVE-1999-1005 Bugtraq ID: 879