NOVL-2005-10096251 GroupWise WebAccess Error modules loading (report)

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: NOVL-2005-10096251 GroupWise WebAccess Error modules loading (report)
From: "Ed Reed" <ereed@xxxxxxxxxx>
Date: Wed, 26 Jan 2005 18:18:26 -0700
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

For Immediate Disclosure

============================== Summary ==============================

 Security Alert: NOVL-2005-10096251
          Title: GroupWise WebAccess Error modules loading (report)
           Date: 21-January-2005
       Revision: Original
   Product Name: GroupWise 6.5, GroupWise 6.5 WebAccess
 OS/Platform(s): NetWare, Windows, Linux
  Reference URL: http://support.novell.com/servlet/tidfinder/10096251
    Vendor Name: Novell, Inc. 
     Vendor URL: http://www.novell.com
Security Alerts: http://support.novell.com/security-alerts 
        Affects: login.htt, about.htt
    Identifiers: BugTraq 387566 - 
                 http://www.securityfocus.com/archive/1/387566
        Credits: Marc Ruef <maru scip ch>, but thanks, too, to 
                 Pete Connolly <pete connolly btinternet com> for
                      actually notifying Novell's security team

============================ Description ============================

By specifying a query string (?error=<value>, or ?merge=<value>) on 
the WebAccess login URL (for example
http://webacc.company.com/servlet/webacc?merge=about), an
unauthenticated user is able get read-only access to various public 
templates and informational files, including the "about" page for 
the WebAccess server which includes the version of GroupWise that 
is installed.

============================== Impact ===============================

The server is not granting access to private files, and no files can 
be modified through this attack. The "about" page which contains the 
version of the GroupWise software installed is available, however, it 
is not considered restricted information, since this same information 
is available on the normal login URL page.

Customers that are concerned about the version information being made 
public can edit login.htt and about.htt template files to remove this 
information. These templates are located in the following 
default locations:

NetWare - 
sys:\tomcat\4\webapps\ROOT\WEB-INF\classes\com\novell\webaccess\templates\frames
 
Linux - 
/var/opt/novell/gw/WEB-INF/classes/com/novell/webaccess/templates/frames

Windows - 
C:\NOVELL\JAVA\SERVLETS\COM\NOVELL\WEBACCESS\TEMPLATES\FRAMES

Remove line 313 in login.htt and line 37 in about.htt.

Additionally, Novell will be making changes in the next update of 
GroupWise, version 6.5.4, to address these issues. The changes will 
be to ignore any query string parameters if the user is not 
authenticated.

Q. What files do non-authenticated users have access to? 
A. Read only access to template files are allowed, which are stored 
in a public directory on the server, as well as a version file, 
which contains the version of the GroupWise software that is 
installed. There is no security risk in displaying the template 
files without data--the template files themselves do not contain 
confidential information. For the GroupWise 6.5.4 release, this will 
be addressed so that no unauthenticated users will be able to access 
any information other than the login page.

Q. What query strings expose this behavior? 
A. The "error" query string and the "merge" query string can be used 
to access read-only versions of the WebAccess templates and the 
"about" information for the server. Note that there is no user data 
in these templates since the user is not authenticated. The merge 
query string works in the following way: when a user is logged in, 
actions that return data are performed. The resulting data is merged 
into the template specified by "merge" (or "error" if an error 
condition occurred) to produce useable output for the authenticated 
user. In the case where there is no authentication, there is no data 
to merge into the template. Authentication is not bypassed and there 
is no generic or "ghost" user logged in.

Q. What information or access is inappropriately divulged to 
unauthenticated users? 
A. This approach offers no means for accessing restricted files on 
the server. If the version information about the server is deemed 
restricted, the administrator can edit the about.htt and login.htt 
template files to remove this information. These templates are 
located at template\frames on an installed WebAccess server.

Q. Is there any way for an attacker to write data into the server 
through this method? 
A. The approach outlined provides no mechanism for modifying data 
or files on the server.

Q. Is it possible to use HTML injection to carry out a social 
engineering attack? 
A. This supposition is false as the attack described has no ability 
to modify data or files on the server in order to inject malicious 
code into WebAccess pages.



======================== Recommended Actions ========================

See detailed instructions in the referenced Technical Information 
Document (TID) http://support.novell.com/servlet/tidfinder/10096251

============================ DISCLAIMER =============================

The content of this document is believed to be accurate at the time 
of publishing based on currently available information. However, the 
information is provided "AS IS" without any warranty or 
representation. Your use of the document constitutes acceptance of 
this disclaimer. Novell disclaims all warranties, express or implied, 
regarding this document, including the warranties of merchantability 
and fitness for a particular purpose. Novell is not liable for any 
direct, indirect, or consequential loss or damage arising from use 
of, or reliance on, this document or any security alert, even if 
Novell has been advised of the possibility of such damages and even 
if such damages are foreseeable.

============================ Appendices =============================

None

================ Contacting Novell Security Alerts ==================

To report suspected security vulnerabilities in Novell products, 
send email to
            secure@xxxxxxxxxx

PGP users may send signed/encrypted information to us using our PGP 
key, available from the pgpkeys.mit.edu server, or our website at: 

            http://support.novell.com/security-alerts


Novell Security Alerts, Novell, Inc. <secure@xxxxxxxxxx>
PGP Key Fingerprint:

3C6B 3F26 4E34 1ADF E27B  D6C4 1AC8 9184 34D1 9739 (revised)

========================= Revision History ==========================
       Original: 21-Jan-2005 - Original Publication
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB8U9JGsiRhDTRlzkRAj9xAJoCdB/5gaMtYh3vre9uDls76KsnngCg7PXz
AiVCn6GGHz4krUdAcgQkgrs=
=Hfuz
-----END PGP SIGNATURE-----

Prev by Date: DMA[2005-0127a] - 'Apple OSX batch family poor use of setuid'
Next by Date: [ GLSA 200501-38 ] Perl: rmtree and DBI tmpfile vulnerabilities
Previous by thread: DMA[2005-0127a] - 'Apple OSX batch family poor use of setuid'
Next by thread: [ GLSA 200501-38 ] Perl: rmtree and DBI tmpfile vulnerabilities
Index(es):
- Date
- Thread