injoin.txt

2002-05-15T00:00:00
ID PACKETSTORM:26080
Type packetstorm
Reporter Cyberiad
Modified 2002-05-15T00:00:00

Description

                                        
                                            `Per our policy at http://www.nmrc.org/advise/policy.txt, we are releasing  
these advisories as these are not high priority and the vendor has a fix  
that is scheduled to be released soon. In an effort to save bandwidth,  
both advisories are in this single email. NMRC will see you at DefCon in  
Las Vegas!  
  
_______________________________________________________________________________  
  
I N F O R M A T I O N A N A R C H Y 2 K 0 1  
www.nmrc.org/InfoAnarchy  
  
Nomad Mobile Research Centre  
A D V I S O R Y  
www.nmrc.org  
Cyberiad [cyberiad@nmrc.org]  
10May2002  
_______________________________________________________________________________  
  
Platforms : Solaris 2.8  
Application: Critical Path inJoin V4.0 Directory Server  
Severity : Medium  
  
Synopsis  
--------  
  
This advisory documents a web traversal vulnerability in the Web-based  
administrator interface, named iCon, of the inJoin Directory Server that  
allows an attacker with the correct username and password to read any file  
accessible to the ids user.  
  
  
Details  
-------  
  
The administrative web server, iCon, listens on TCP port 1500 and runs  
under the ids account. By connecting to this port using a web browser and  
entering a correct administrator username and password, an operator can  
remotely administer the Directory Server and view log entries. The URL  
used to view log entries is of the form.  
  
  
http://ip:1500/CONF&LOG=iCon.err&NOIH=no&FRAMES=y  
  
  
The value of the file= parameter refers to a file named iCon.err.  
Unfortunately, no checks are performed on the location of this value.  
Therefore, an authenticated user can replace the file= parameter with the  
absolute path to a filename and read the contents. For example, the  
following request returns the /etc/passwd file,  
  
  
http://ip:1500/CONF&LOG=/etc/passwd&NOIH=no&FRAMES=y  
  
  
Only those files that can be read by the ids account are accessible. For  
example, by default, /etc/shadow cannot be retrieved. Testing confirmed  
that the attack is not successful without the correct administrator  
username and password.  
  
  
Tested configurations  
---------------------  
  
Testing was performed with the following configurations:  
  
Critical Path inJoin V4.0 Directory Server  
Solaris 2.8  
  
  
Vendor Response  
---------------  
  
Critical Path Inc:  
  
Critical Path was contacted on April 30, 2002 and has implemented  
preventative fixes for this issue. A maintenance release to be known as  
iCon 4.1.4.7 will be posted on the Critical Path support website at  
http://support.cp.net, which is available to supported customers. This  
will be within the next few weeks, dependent upon other fixes that need to  
be made available in this maintenance release.  
  
  
Solution/Workaround  
-------------------  
  
Filter TCP port 1500 at the border to prohibit public access to the  
Directory Server's administrative interface.  
  
Use a strong password on the Directory Server administrator account and  
change regularly. Distribute the password to only Directory Server  
administrators.  
  
Modify permissions on sensitive files to prohibit access by the ids user.  
  
Though administration of the Directory Server over SSL is currently not  
supported, Ciritical Path recommends the use of VPN software to mitigate  
the risk of disclosure of the administrator username and password. The  
next major release of the Critical Path Directory Server will features  
SSL-enablement of the web-based management interface.  
  
  
Comments  
--------  
  
This advisory has been released under Information Anarchy -  
http://www.nmrc.org/InfoAnarchy/  
  
  
Copyright  
---------  
  
This advisory is Copyright (c) 2002 NMRC - feel free to distribute it  
without edits but fear us if you use this advisory in any type of  
commercial endeavour.  
  
  
_______________________________________________________________________________  
  
_______________________________________________________________________________  
  
I N F O R M A T I O N A N A R C H Y 2 K 0 1  
www.nmrc.org/InfoAnarchy  
  
Nomad Mobile Research Centre  
A D V I S O R Y  
www.nmrc.org  
Cyberiad [cyberiad@nmrc.org]  
10May2002  
_______________________________________________________________________________  
  
Platforms : Solaris 2.8  
Application: Critical Path inJoin V4.0 Directory Server  
Severity : Low  
  
Synopsis  
--------  
  
This advisory documents cross-site scripting vulnerabilities in the  
Web-based administrator interface, named iCon, of the inJoin Directory  
Server that allows an attacker with the correct username and password to  
inject HTML script and use the server in a cross-site scripting attack.  
  
  
Details  
-------  
  
The administrative web server, iCon, listens on TCP port 1500 and runs  
under the ids account. By connecting to this port using a web browser and  
entering a correct administrator username and password, an operator can  
remotely administer the Directory Server. Testing of various  
administrative URL's located situations in which script can be injected  
and executed upon rendering of the response. Two examples are as follows,  
  
  
http://ip:1500/DSASD&DSA=1&LOCID=<script>^Å.</script>&FRAME=Y  
http://ip:1500/OBCR&OC=<script>^Å.</script>&FRAME=Y  
  
  
Additional URL requests are also thought to be vulnerable. Testing  
confirmed that the attack is not successful without the correct  
administrator username and password.  
  
  
Tested configurations  
---------------------  
  
Testing was performed with the following configurations:  
  
Critical Path inJoin V4.0 Directory Server  
Solaris 2.8  
  
  
Vendor Response  
---------------  
  
Critical Path Inc:  
  
Critical Path was contacted on April 30, 2002 and has implemented  
preventative fixes for this issue. A maintenance release to be known as  
iCon 4.1.4.7 will be posted on the Critical Path support website at  
http://support.cp.net, which is available to supported customers. This  
will be within the next few weeks, dependent upon other fixes that need to  
be made available in this maintenance release.  
  
  
Solution/Workaround  
-------------------  
  
Filter TCP port 1500 at the border to prohibit public access to the  
Directory Server's administrative interface.  
  
Use a strong password on the Directory Server administrator account and  
change regularly. Distribute the password to only Directory Server  
administrators.  
  
Though administration of the Directory Server over SSL is currently not  
supported, Ciritical Path recommends the use of VPN software to mitigate  
the risk of disclosure of the administrator username and password. The  
next major release of the Critical Path Directory Server will features  
SSL-enablement of the web-based management interface.  
  
  
Comments  
--------  
  
This advisory has been released under Information Anarchy -  
http://www.nmrc.org/InfoAnarchy/  
  
  
Copyright  
---------  
  
This advisory is Copyright (c) 2002 NMRC - feel free to distribute it  
without edits but fear us if you use this advisory in any type of  
commercial endeavour.  
  
  
_______________________________________________________________________________  
  
  
`