securitysco.com
Date: Tue Aug 26 2003 - 12:07:49 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: bugtraqsecurityfocus.com announcelists.caldera.com full-disclosurelists.netsys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

__________________________________________________________

                SCO Security Advisory

Subject: OpenServer 5.0.7 : The docview package allows anonymous remote users to view any publicly readable files on a OpenServer system.
Advisory number: CSSA-2003-SCO.16
Issue date: 2003 August 25
Cross reference:
__________________________________________________________

1. Problem Description

        Docview provides the OpenServer Administration Guide,
        available in browser HTML format.

        Due to a misconfiguration of the apache server, anonymous
        remote users are able to craft a URL in such a way as to
        view any publicly readable file.

        The Common Vulnerabilities and Exposures (CVE) project has
        assigned the name CAN-2003-0658 to this issue. This is a candidate
        for inclusion in the CVE list (http://cve.mitre.org), which

2. Vulnerable Supported Versions

        System Binaries
        ----------------------------------------------------------------
        OpenServer 5.0.7 /usr/lib/docview/conf/templates/rewrite.conf.in

        3. Solution

        The proper solution is to install the latest packages.

        4. OpenServer 5.0.7

          4.1 Location of Fixed Binaries

            ftp://ftp.caldera.com/pub/updates/OpenServer/CSSA-2003-SCO.16/

          4.2 Verification

            MD5 (VOL.000.000) = d3d538206b2362949813dc93713d5c93

            md5 is available for download from
              ftp://ftp.sco.com/pub/security/tools

          4.3 Installing Fixed Binaries

            Upgrade the affected binaries with the following sequence:

              1) Download the VOL* files to the /tmp directory
              2) Run the custom command, specify an install from
                 media images, and specify the /tmp directory as the
                 location of the images.

        6. References

          Specific references for this advisory:
            http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0658

          SCO security resources:

            http://www.sco.com/support/security/index.html

          This security fix closes SCO incidents
            sr882453 fz528125 erg712368.

        7. Disclaimer

        SCO is not responsible for the misuse of any of
        the information we provide on this website and/or through our
        security advisories. Our advisories are a service to our
        customers intended to promote secure installation and use of
        SCO products.
           
           
        8. Acknowledgements

        SCO would like to thank Milos Krmesky for discovery of this
        vulnerability.

_________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)

iD8DBQE/SmdRaqoBO7ipriERAsXoAJ44l661hJJG62NwmSOMlY0hQVEITQCfdT9H
SLYZL90eZqx6fjQxHm/acys=
=lGV7
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]