COMMAND

	Netware Web Server/ScriptEase default configuration vulnerability

SYSTEMS AFFECTED

	 Netware Web Server 5.1

	 Not affected : Netware 5.1 SP3

PROBLEM

	In IRM Security Advisory 002 :
	

	Novell\'s Netware 5.1 is shipped with a Web Server that is installed  by
	default and contains various sample web pages. There is  a  \"viewcode\"
	application that is run through a Netware Loadable Module  (NLM),  which
	allows the source code of a default web page to be viewed. However,  the
	NLM has the sample page name passed to it through a URL  containing  the
	path to the file. It  is  possible  to  alter  the  URL  to  permit  the
	contents of any file on the system to  be  viewed  even  those  situated
	outside the  web  root.  Using  this  method  it  is  possible  to  view
	important configuration files  including  the  autoexec.ncf  file  which
	contains the remote console password.
	

	The viewcode.jse file is designed to be used to display the source  code
	of sample files called httplist.htm and httplist.jse. These  file  names
	are passed as parameters to the NLM through a URL such as :
	

	

	http://10.0.25.5/lcgi/sewse.nlm?sys:/novonyx/suitespot/docs/sewse/viewcode.jse+httplist/httplist.htm+httplist/httplist.jse

	

	

	The application checks the files being requested by requiring  that  the
	httplist directory is specified in the path to the files to  be  viewed.
	However, it  is  possible  to  traverse  directories  using  /../  after
	httplist. The sewse.nlm module runs with sufficient permissions  whereby
	it possible to traverse to any file on the  file  system  and  view  the
	contents.
	

	An attacker could use the information gained to  lauch  further  attacks
	or to gain console access using the rconsole  password.  An  example  of
	the URL used to view the autoexec.ncf is (URL may wrap):
	

	

	http://10.0.25.5/lcgi/sewse.nlm?sys:/novonyx/suitespot/docs/sewse/viewcode.jse+httplist+httplist/../../../../../system/autoexec.ncf

	

	

	There are Novell best practices which include  encrypting  the  rconsole
	password in the autoexec.ncf file. However, there  are  tools  available
	which  can  be  used  to   break   this   encryption.   Another   Novell
	recommendation is to use a Console Screensaver which requires the  admin
	password to be entered after a rconsole connection has been  made.  This
	issue is similar to the problem discovered with the  convert.bas  script
	that   shipped   with   Netware   Web   Server   version    2.0.    (see
	http://www.securitybugware.org/mUNIXes/4302.html)
	

	 Update (25 February 2002)

	 ======

	

	Aleksander Posmyk <blah@lucyfer.omi.pl> added that  this  problem  is
	not Netware specific but works for any web server  that  has  ScriptEase
	installed :
	

	 Example

	 =======

	

	Windows:
	 

	http://this.is.the.funniest/us/cgi-bin/sewse.exe?d:/internet/sites/us/sewse/jabber/comment2.jse+c:\\boot.ini

	

	[boot loader] timeout=10 ...
	

	Novell Netware:
	 

	http://novellhost/lcgi/sewse.nlm?sys:/novonyx/suitespot/docs/sewse/jabber/comment2.jse+/system/autoexec.ncf

	

	SET CLIENT FILE ...
	

	Linux:
	 

	http://linuxhost/cgi-bin/sewse?/home/httpd/html/sewse/jabber/comment2.jse+/etc/passwd

	

	root:....

SOLUTION

	Remove all sample web pages and sample NLMs.
	

	Apply SP3