Re: BoS: *** SECURITY ALERT *** (fwd)

• To: best-of-security@suburbia.net
• Subject: Re: BoS: *** SECURITY ALERT *** (fwd)
• From: Mark_W_Loveless@smtp.bnr.com
• Date: Thu, 04 Jul 96 00:07:14 CST
• Cc: www-security@ns2.rutgers.edu

     Yes out of the box it is insecure. However in a random sampling of 10 
     sites there was 1 site that restricted using ../ so (I assume) that by 
     using Novell's security you CAN restrict this bug. However you can 
     access files like AUTOEXEC.NCF, and even login scripts in the hidden 
     _NETWARE directory (if you know the name).
     
     It does appear you are restricted to the SYS: volume, however if you 
     are using XCONSOLE and have your remote console password in plaintext 
     (instead of encrypted) you are just inviting someone to telnet to the 
     server console....
     
     Mark_W_Loveless@smtp.bnr.com
     Opinions are my own, not my employer's


______________________________ Reply Separator _________________________________
Subject: BoS: *** SECURITY ALERT *** (fwd)
Author:  best-of-security@suburbia.net at internet
Date:    7/3/96 9:41 PM


---------- Forwarded message ---------- 
Date: Wed, 3 Jul 1996 14:50:06 -0700 (PDT) 
From: TTT Group <ttt@broder.com>
Subject: *** SECURITY ALERT ***
     
I spent some time exploring Novell's HTTP server and out of the box 
there is a CGI that is VERY VERY INSECURE!!!!!!!!!!!!!!!!!!!!!!!!!
     
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 
If you are running the Novell HTTP server, please disable the CGI's 
it comes with it until you understand (fully understand) what the 
security risks are.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
     
The CGI in question is convert.bas (yes, cgi's in basic, stop laughing). 
(There may be more CGI's in the scripts dir that can be exploited
but this was all I could stomoch.)
     
A remote user can read any file on the remote file system using 
this CGI.  This means that if you are running the Novell HTTP 
server and have the 'out of box' CGI's, you are breached. 
Exploit code:
http://victim.com/scripts/convert.bas?../../anything/you/want/to/view
     
I was going to see how bad this threat was by connecting to 
www servers, testing for "Novell HTTP" in the HTTP server responce 
BUT WHY DO THAT WHEN YOU HAVE www.altavista.digital.com :-) 
+links:scripts/convert.bas
will return you all the sites that can be breached.
     
PLEASE PLEASE PLEASE don't open the box and put machine on the 
Internet.  I am getting tired of this kind of stuff.
Who the hell did Novell consult with to write these darn CGI's? 
It makes me sad.
     
- --blast
     
------------------------------
     

• Previous: Microsoft IIS vv. 1.x, 2.0b New Security Bugs Alert.
• Next: Re: Need a Security Consultant
• Index(es):
  • Index
  • Thread