[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030826100749.A10565@caldera.com>
Date: Tue, 26 Aug 2003 10:07:49 -0700
From: security@....com
To: bugtraq@...urityfocus.com, announce@...ts.caldera.com,
full-disclosure@...ts.netsys.com
Subject: OpenServer 5.0.7 : The docview package allows anonymous remote users to view any publicly readable files on a OpenServer system.
To: bugtraq@...urityfocus.com announce@...ts.caldera.com full-disclosure@...ts.netsys.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
__________________________________________________________
SCO Security Advisory
Subject: OpenServer 5.0.7 : The docview package allows anonymous remote users to view any publicly readable files on a OpenServer system.
Advisory number: CSSA-2003-SCO.16
Issue date: 2003 August 25
Cross reference:
__________________________________________________________
1. Problem Description
Docview provides the OpenServer Administration Guide,
available in browser HTML format.
Due to a misconfiguration of the apache server, anonymous
remote users are able to craft a URL in such a way as to
view any publicly readable file.
The Common Vulnerabilities and Exposures (CVE) project has
assigned the name CAN-2003-0658 to this issue. This is a candidate
for inclusion in the CVE list (http://cve.mitre.org), which
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------
OpenServer 5.0.7 /usr/lib/docview/conf/templates/rewrite.conf.in
3. Solution
The proper solution is to install the latest packages.
4. OpenServer 5.0.7
4.1 Location of Fixed Binaries
ftp://ftp.caldera.com/pub/updates/OpenServer/CSSA-2003-SCO.16/
4.2 Verification
MD5 (VOL.000.000) = d3d538206b2362949813dc93713d5c93
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
4.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
1) Download the VOL* files to the /tmp directory
2) Run the custom command, specify an install from
media images, and specify the /tmp directory as the
location of the images.
6. References
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0658
SCO security resources:
http://www.sco.com/support/security/index.html
This security fix closes SCO incidents
sr882453 fz528125 erg712368.
7. Disclaimer
SCO is not responsible for the misuse of any of
the information we provide on this website and/or through our
security advisories. Our advisories are a service to our
customers intended to promote secure installation and use of
SCO products.
8. Acknowledgements
SCO would like to thank Milos Krmesky for discovery of this
vulnerability.
_________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)
iD8DBQE/SmdRaqoBO7ipriERAsXoAJ44l661hJJG62NwmSOMlY0hQVEITQCfdT9H
SLYZL90eZqx6fjQxHm/acys=
=lGV7
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists