Vulnerability

    Net.Data

Affected

    IBM Net.Data

Description

    Chad Kalmes found following.   Not sure if this  is exactly a  new
    issue or not, but IBM's Net.Data package (often used in conjuction
    with  NetCommerce3  and  db2www)  will  disclose the local path of
    server files if  fed improper requests.   This software is  in use
    on a variety of sites, including several online-shopping locales.

    Example (from  IBM's own  pages):   By issuing  a /report  request
    from the document.d2w file, the db2www package builds and displays
    the proper HTML page, as requested.

    Valid call:

        http://www-4.ibm.com/cgi-bin/db2www/library/document.d2w/report?uid=UNKNOWN&pwd=&search_type=SIMPLE&r_host=&last_page=db2www0022.html&fn=db2www.html#ToC

    yields proper web page.

    However, by issuing a bad /show request (or /garbarge,  /whatever,
    etc.),  the  package  outputs  an  error message showing the local
    path  to  the  d2w  macro  file,  assuming no valid /show function
    exists within the .d2w file.

    Invalid call:

        http://www-4.ibm.com/cgi-bin/db2www/library/document.d2w/show

    yields

        DTWP029E: Net.Data is unable to locate the HTML block SHOW in file /projects/www/netdata/macro/software/library/document.d2w.

    While not  a security  problem per  se, it  still yields increased
    information  about  the  local  host  system.   This  'feature' or
    'flaw' is present  on both *NIX  and WIN versions  of the software
    (unsure about OS2) and every  instance I've found on the  Internet
    is subject  to this  disclosure.   Path disclosure vulnerabilities
    have been highlighted in other packages.

Solution

    Nothing yet.