OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Information Anarchy 2K01 (advisoriesnmrc.org)
Date: Fri May 10 2002 - 13:30:53 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Per our policy at http://www.nmrc.org/advise/policy.txt, we are releasing
    these advisories as these are not high priority and the vendor has a fix
    that is scheduled to be released soon. In an effort to save bandwidth,
    both advisories are in this single email. NMRC will see you at DefCon in
    Las Vegas!

    _______________________________________________________________________________

                     I N F O R M A T I O N A N A R C H Y 2 K 0 1
                              www.nmrc.org/InfoAnarchy

                            Nomad Mobile Research Centre
                                  A D V I S O R Y
                                   www.nmrc.org
                            Cyberiad [cyberiadnmrc.org]
                                     10May2002
    _______________________________________________________________________________

             Platforms : Solaris 2.8
             Application: Critical Path inJoin V4.0 Directory Server
             Severity : Medium

    Synopsis
    --------

    This advisory documents a web traversal vulnerability in the Web-based
    administrator interface, named iCon, of the inJoin Directory Server that
    allows an attacker with the correct username and password to read any file
    accessible to the ids user.

    Details
    -------

    The administrative web server, iCon, listens on TCP port 1500 and runs
    under the ids account. By connecting to this port using a web browser and
    entering a correct administrator username and password, an operator can
    remotely administer the Directory Server and view log entries. The URL
    used to view log entries is of the form.

      http://ip:1500/CONF&LOG=iCon.err&NOIH=no&FRAMES=y

    The value of the file= parameter refers to a file named iCon.err.
    Unfortunately, no checks are performed on the location of this value.
    Therefore, an authenticated user can replace the file= parameter with the
    absolute path to a filename and read the contents. For example, the
    following request returns the /etc/passwd file,

      http://ip:1500/CONF&LOG=/etc/passwd&NOIH=no&FRAMES=y

    Only those files that can be read by the ids account are accessible. For
    example, by default, /etc/shadow cannot be retrieved. Testing confirmed
    that the attack is not successful without the correct administrator
    username and password.

    Tested configurations
    ---------------------

    Testing was performed with the following configurations:

      Critical Path inJoin V4.0 Directory Server
      Solaris 2.8

    Vendor Response
    ---------------

    Critical Path Inc:

    Critical Path was contacted on April 30, 2002 and has implemented
    preventative fixes for this issue. A maintenance release to be known as
    iCon 4.1.4.7 will be posted on the Critical Path support website at
    http://support.cp.net, which is available to supported customers. This
    will be within the next few weeks, dependent upon other fixes that need to
    be made available in this maintenance release.

    Solution/Workaround
    -------------------

    Filter TCP port 1500 at the border to prohibit public access to the
    Directory Server's administrative interface.

    Use a strong password on the Directory Server administrator account and
    change regularly. Distribute the password to only Directory Server
    administrators.

    Modify permissions on sensitive files to prohibit access by the ids user.

    Though administration of the Directory Server over SSL is currently not
    supported, Ciritical Path recommends the use of VPN software to mitigate
    the risk of disclosure of the administrator username and password. The
    next major release of the Critical Path Directory Server will features
    SSL-enablement of the web-based management interface.

    Comments
    --------

    This advisory has been released under Information Anarchy -
    http://www.nmrc.org/InfoAnarchy/

    Copyright
    ---------

    This advisory is Copyright (c) 2002 NMRC - feel free to distribute it
    without edits but fear us if you use this advisory in any type of
    commercial endeavour.

    _______________________________________________________________________________

    _______________________________________________________________________________

                     I N F O R M A T I O N A N A R C H Y 2 K 0 1
                              www.nmrc.org/InfoAnarchy

                            Nomad Mobile Research Centre
                                  A D V I S O R Y
                                   www.nmrc.org
                            Cyberiad [cyberiadnmrc.org]
                                     10May2002
    _______________________________________________________________________________

             Platforms : Solaris 2.8
             Application: Critical Path inJoin V4.0 Directory Server
             Severity : Low

    Synopsis
    --------

    This advisory documents cross-site scripting vulnerabilities in the
    Web-based administrator interface, named iCon, of the inJoin Directory
    Server that allows an attacker with the correct username and password to
    inject HTML script and use the server in a cross-site scripting attack.

    Details
    -------

    The administrative web server, iCon, listens on TCP port 1500 and runs
    under the ids account. By connecting to this port using a web browser and
    entering a correct administrator username and password, an operator can
    remotely administer the Directory Server. Testing of various
    administrative URL's located situations in which script can be injected
    and executed upon rendering of the response. Two examples are as follows,

    http://ip:1500/DSASD&DSA=1&LOCID=>^.</script>&FRAME=Y
    http://ip:1500/OBCR&OC=>^.</script>&FRAME=Y

    Additional URL requests are also thought to be vulnerable. Testing
    confirmed that the attack is not successful without the correct
    administrator username and password.

    Tested configurations
    ---------------------

    Testing was performed with the following configurations:

      Critical Path inJoin V4.0 Directory Server
      Solaris 2.8

    Vendor Response
    ---------------

    Critical Path Inc:

    Critical Path was contacted on April 30, 2002 and has implemented
    preventative fixes for this issue. A maintenance release to be known as
    iCon 4.1.4.7 will be posted on the Critical Path support website at
    http://support.cp.net, which is available to supported customers. This
    will be within the next few weeks, dependent upon other fixes that need to
    be made available in this maintenance release.

    Solution/Workaround
    -------------------

    Filter TCP port 1500 at the border to prohibit public access to the
    Directory Server's administrative interface.

    Use a strong password on the Directory Server administrator account and
    change regularly. Distribute the password to only Directory Server
    administrators.

    Though administration of the Directory Server over SSL is currently not
    supported, Ciritical Path recommends the use of VPN software to mitigate
    the risk of disclosure of the administrator username and password. The
    next major release of the Critical Path Directory Server will features
    SSL-enablement of the web-based management interface.

    Comments
    --------

    This advisory has been released under Information Anarchy -
    http://www.nmrc.org/InfoAnarchy/

    Copyright
    ---------

    This advisory is Copyright (c) 2002 NMRC - feel free to distribute it
    without edits but fear us if you use this advisory in any type of
    commercial endeavour.

    _______________________________________________________________________________