OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: IBM Net.Data Local Path Disclosure Vulnerability?
From: Chad Kalmes (chad.j.kalmesUS.ARTHURANDERSEN.COM)
Date: Tue Nov 28 2000 - 10:45:58 CST


Not sure if this is exactly a new issue or not, but
IBM's Net.Data package (often used in conjuction
with NetCommerce3 and db2www) will disclose the
local path of server files if fed improper requests.
This software is in use on a variety of sites, including
several online-shopping locales.

Example (from IBM's own pages):

By issuing a /report request from the document.d2w
file, the db2www package builds and displays the
proper HTML page, as requested.

VALID CALL:
http://www-4.ibm.com/cgi-
bin/db2www/library/document.d2w/report?
uid=UNKNOWN&pwd=&search_type=SIMPLE&r_hos
t=&last_page=db2www0022.html&fn=db2www.html#
ToC

YIELDS:
Proper web page.

However, by issuing a bad /show request
(or /garbarge, /whatever, etc.), the package outputs
an error message showing the local path to the d2w
macro file, assuming no valid /show function exists
within the .d2w file.

INVALID CALL:
http://www-4.ibm.com/cgi-
bin/db2www/library/document.d2w/show

YIELDS:
DTWP029E: Net.Data is unable to locate the HTML
block SHOW in
file /projects/www/netdata/macro/software/library/doc
ument.d2w.

While not a security problem per se, it still yields
increased information about the local host system.
This 'feature' or 'flaw' is present on both *NIX and
WIN versions of the software (unsure about OS2)
and every instance I've found on the Internet is
subject to this disclosure. Path disclosure
vulnerabilities have been highlighted in other
packages, so I figured I'd point this one out as well.

There may be a debugging switch or custom error
message that could be turned on/off that would
prevent the output of the Net.Data error to the end
user, but I am somewhat unfamiliar with the specifics
of the available software/server configuration.

IBM was contacted on 11/27 with an inquiry regarding
any ways to prevent this but responded only with a
form e-mail linking to a website which offered no
support or further contact information without
purchasing premium support.

ck