Novell GroupWise WebAccess error modules loading
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dear ladies and gentlemen
We have found a potential security vulnerability in the Novell GroupWise
WebAccess error module handling. First of all it is possible to circumvent the
login procedure. If a user connects to https://www.scip.com:1444/servlet/webacc
(this is just an example with our domain) he is able to authenticate with his
user name and password. If a wrong input is made, the webacc application is
loading the error page. It is possible to specify another error document with
the $QUERY_STRING variant error. If this reference is done for the webacc
itself - the url https://www.scip.com:1444/servlet/webacc?error=webacc would be
required -, the login is circumvented. You are always logged in with a "ghost
user" without a profile. It seems not to be possible to load and store data or
to use other services (e.g. address book or sending email). It is also possible
to reach specific template files with specification of their names (e.g.
https://www.scip.com:1444/servlet/webacc?error=send for sending emails).
Reaching other files than with the extension .htt or files outside the
webserver root directory seems not possible. An attacker may use this
vulnerability to exploit a bug that is only exploitable by authenticated users.
More details on how this htt framework should be used can be found at
http://developer.novell.com/ndk/doc/gwwbacc/index.html?page=/ndk/doc/gwwbacc/gwwebacc/data/a6l4t54.html
- You find the original advisory, written in german, on
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=1020 (Novell GroupWise WebAccess
error Authentisierung umgehen).
The second flaw depends on the first one. You are able to specify a (wrong)
user name in the login screen. Afterwards you circumvent the authentication as
described before. If you are opening the about screen (e.g.
https://www.scip.com:1444/servlet/webacc?error=about or by clicking on the
WebAccess logo on the top) in the Program Release line you see the version data
of the GroupWise installation. The user name that has been specified in your
last login procedure is printed on the Userid line. It may be possible to do
html injection in this case. For example if the user name "<a
href=http://www.scip.ch>www.scip.ch</a>" has been used, this html link will be
printed. The injection of scripts seems not to be possible because the required
tags <script> and </script> are filtered/replaced. This vulnerability may be
useful to gain the version data of the installation and it may be possible to
realize a social engineering or html injection attack (e.g. loading a corrupt
JPEG file to exploit the Windows buffer overflow). You find the original
advisory, written in german, on
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=1021 (Novell GroupWise WebAccess
error about erweiterte Rechte).
We have not found any information on that issue. So I sent this information
(nearly the same posting) on 14/12/04 to info@xxxxxxxxxx and asked for a
solution. As I haven't heard _anything_ until 23/12/04 I sent a reminder email
to the same address. So no reply came back we made this vulnerability public
finally to force Novell to react on this case. An Attack Tool Kit (ATK) plugin
that addresses this vulnerability will be published in the next days[1].
Regards,
Marc Ruef
[1] http://www.computec.ch/projekte/atk/
- --
) scip AG (
Technoparkstr. 1
8005 Zürich
T +41 1 445 18 18
F +41 1 445 18 19
maru@xxxxxxx
www.scip.ch
- - Aktuellste IT-Sicherheitsluecken -
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
Comment: http://www.scip.ch
iQA/AwUBQevrDBe5hzJzqVMhEQJrtQCg041eH6NVBOQ+GPS5QudSw2ARKAAAni/P
tTao1cSGtOUvnKKsqqH5/0Gs
=A+fy
-----END PGP SIGNATURE-----