{"id": "PACKETSTORM:26080", "type": "packetstorm", "bulletinFamily": "exploit", "title": "injoin.txt", "description": "", "published": "2002-05-15T00:00:00", "modified": "2002-05-15T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/26080/injoin.txt.html", "reporter": "Cyberiad", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:29:38", "viewCount": 1, "enchantments": {"score": {"value": -0.3, "vector": "NONE", "modified": "2016-11-03T10:29:38", "rev": 2}, "dependencies": {"references": [], "modified": "2016-11-03T10:29:38", "rev": 2}, "vulnersScore": -0.3}, "sourceHref": "https://packetstormsecurity.com/files/download/26080/injoin.txt", "sourceData": "`Per our policy at http://www.nmrc.org/advise/policy.txt, we are releasing \nthese advisories as these are not high priority and the vendor has a fix \nthat is scheduled to be released soon. In an effort to save bandwidth, \nboth advisories are in this single email. NMRC will see you at DefCon in \nLas Vegas! \n \n_______________________________________________________________________________ \n \nI N F O R M A T I O N A N A R C H Y 2 K 0 1 \nwww.nmrc.org/InfoAnarchy \n \nNomad Mobile Research Centre \nA D V I S O R Y \nwww.nmrc.org \nCyberiad [cyberiad@nmrc.org] \n10May2002 \n_______________________________________________________________________________ \n \nPlatforms : Solaris 2.8 \nApplication: Critical Path inJoin V4.0 Directory Server \nSeverity : Medium \n \nSynopsis \n-------- \n \nThis advisory documents a web traversal vulnerability in the Web-based \nadministrator interface, named iCon, of the inJoin Directory Server that \nallows an attacker with the correct username and password to read any file \naccessible to the ids user. \n \n \nDetails \n------- \n \nThe administrative web server, iCon, listens on TCP port 1500 and runs \nunder the ids account. By connecting to this port using a web browser and \nentering a correct administrator username and password, an operator can \nremotely administer the Directory Server and view log entries. The URL \nused to view log entries is of the form. \n \n \nhttp://ip:1500/CONF&LOG=iCon.err&NOIH=no&FRAMES=y \n \n \nThe value of the file= parameter refers to a file named iCon.err. \nUnfortunately, no checks are performed on the location of this value. \nTherefore, an authenticated user can replace the file= parameter with the \nabsolute path to a filename and read the contents. For example, the \nfollowing request returns the /etc/passwd file, \n \n \nhttp://ip:1500/CONF&LOG=/etc/passwd&NOIH=no&FRAMES=y \n \n \nOnly those files that can be read by the ids account are accessible. For \nexample, by default, /etc/shadow cannot be retrieved. Testing confirmed \nthat the attack is not successful without the correct administrator \nusername and password. \n \n \nTested configurations \n--------------------- \n \nTesting was performed with the following configurations: \n \nCritical Path inJoin V4.0 Directory Server \nSolaris 2.8 \n \n \nVendor Response \n--------------- \n \nCritical Path Inc: \n \nCritical Path was contacted on April 30, 2002 and has implemented \npreventative fixes for this issue. A maintenance release to be known as \niCon 4.1.4.7 will be posted on the Critical Path support website at \nhttp://support.cp.net, which is available to supported customers. This \nwill be within the next few weeks, dependent upon other fixes that need to \nbe made available in this maintenance release. \n \n \nSolution/Workaround \n------------------- \n \nFilter TCP port 1500 at the border to prohibit public access to the \nDirectory Server's administrative interface. \n \nUse a strong password on the Directory Server administrator account and \nchange regularly. Distribute the password to only Directory Server \nadministrators. \n \nModify permissions on sensitive files to prohibit access by the ids user. \n \nThough administration of the Directory Server over SSL is currently not \nsupported, Ciritical Path recommends the use of VPN software to mitigate \nthe risk of disclosure of the administrator username and password. The \nnext major release of the Critical Path Directory Server will features \nSSL-enablement of the web-based management interface. \n \n \nComments \n-------- \n \nThis advisory has been released under Information Anarchy - \nhttp://www.nmrc.org/InfoAnarchy/ \n \n \nCopyright \n--------- \n \nThis advisory is Copyright (c) 2002 NMRC - feel free to distribute it \nwithout edits but fear us if you use this advisory in any type of \ncommercial endeavour. \n \n \n_______________________________________________________________________________ \n \n_______________________________________________________________________________ \n \nI N F O R M A T I O N A N A R C H Y 2 K 0 1 \nwww.nmrc.org/InfoAnarchy \n \nNomad Mobile Research Centre \nA D V I S O R Y \nwww.nmrc.org \nCyberiad [cyberiad@nmrc.org] \n10May2002 \n_______________________________________________________________________________ \n \nPlatforms : Solaris 2.8 \nApplication: Critical Path inJoin V4.0 Directory Server \nSeverity : Low \n \nSynopsis \n-------- \n \nThis advisory documents cross-site scripting vulnerabilities in the \nWeb-based administrator interface, named iCon, of the inJoin Directory \nServer that allows an attacker with the correct username and password to \ninject HTML script and use the server in a cross-site scripting attack. \n \n \nDetails \n------- \n \nThe administrative web server, iCon, listens on TCP port 1500 and runs \nunder the ids account. By connecting to this port using a web browser and \nentering a correct administrator username and password, an operator can \nremotely administer the Directory Server. Testing of various \nadministrative URL's located situations in which script can be injected \nand executed upon rendering of the response. Two examples are as follows, \n \n \nhttp://ip:1500/DSASD&DSA=1&LOCID=<script>^\u00c5.</script>&FRAME=Y \nhttp://ip:1500/OBCR&OC=<script>^\u00c5.</script>&FRAME=Y \n \n \nAdditional URL requests are also thought to be vulnerable. Testing \nconfirmed that the attack is not successful without the correct \nadministrator username and password. \n \n \nTested configurations \n--------------------- \n \nTesting was performed with the following configurations: \n \nCritical Path inJoin V4.0 Directory Server \nSolaris 2.8 \n \n \nVendor Response \n--------------- \n \nCritical Path Inc: \n \nCritical Path was contacted on April 30, 2002 and has implemented \npreventative fixes for this issue. A maintenance release to be known as \niCon 4.1.4.7 will be posted on the Critical Path support website at \nhttp://support.cp.net, which is available to supported customers. This \nwill be within the next few weeks, dependent upon other fixes that need to \nbe made available in this maintenance release. \n \n \nSolution/Workaround \n------------------- \n \nFilter TCP port 1500 at the border to prohibit public access to the \nDirectory Server's administrative interface. \n \nUse a strong password on the Directory Server administrator account and \nchange regularly. Distribute the password to only Directory Server \nadministrators. \n \nThough administration of the Directory Server over SSL is currently not \nsupported, Ciritical Path recommends the use of VPN software to mitigate \nthe risk of disclosure of the administrator username and password. The \nnext major release of the Critical Path Directory Server will features \nSSL-enablement of the web-based management interface. \n \n \nComments \n-------- \n \nThis advisory has been released under Information Anarchy - \nhttp://www.nmrc.org/InfoAnarchy/ \n \n \nCopyright \n--------- \n \nThis advisory is Copyright (c) 2002 NMRC - feel free to distribute it \nwithout edits but fear us if you use this advisory in any type of \ncommercial endeavour. \n \n \n_______________________________________________________________________________ \n \n \n`\n"}

{}