[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030826100752.A10600@caldera.com>
From: security at sco.com (security@....com)
Subject: UnixWare 7.1.3 : The docview package allows anonymous remote users to view any publicly readable files on a UnixWare system.
To: bugtraq@...urityfocus.com announce@...ts.caldera.com full-disclosure@...ts.netsys.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
__________________________________________________________
SCO Security Advisory
Subject: UnixWare 7.1.3 : The docview package allows anonymous remote users to view any publicly readable files on a UnixWare system.
Advisory number: CSSA-2003-SCO.18
Issue date: 2003 August 22
Cross reference:
__________________________________________________________
1. Problem Description
Docview provides the UnixWare System Administration Guide,
available in browser HTML format.
Due to a misconfiguration of the apache server, anonymous
remote users are able to craft a URL in such a way as to
view any publicly readable file.
The Common Vulnerabilities and Exposures (CVE)
project has assigned the name CAN-2003-0658 to this
issue. This is a candidate for inclusion in the CVE list
(http://cve.mitre.org), which standardizes names
for security problems.
2. Vulnerable Supported Versions
System Binaries
- - ---------------------------------------------------------------
UnixWare 7.1.3 /usr/lib/docview/conf/templates/rewrite.conf.in
3. Solution
The proper solution is to install the latest packages.
4. UnixWare 7.1.3
4.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/UnixWare/CSSA-2003-SCO.18/
4.2 Verification
MD5 (erg712369.pkg.Z) = b00357fa4f69a2aebcc7d539cc77a24b
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
4.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
Download erg712369.pkg.Z to the /var/spool/pkg directory
# uncompress /var/spool/pkg/erg712369.pkg.Z
# pkgadd -d /var/spool/pkg/erg712369.pkg
or
# zcat erg712369.pkg.Z | pkgadd -d -
5. References
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0658
SCO security resources:
http://www.sco.com/support/security/index.html
This security fix closes SCO incidents
sr882458 fz528126 erg712369.
6. Disclaimer
SCO is not responsible for the misuse of any of
the information we provide on this website and/or through our
security advisories. Our advisories are a service to our
customers intended to promote secure installation and use of
SCO products.
7. Acknowledgments
SCO would like to thank Milos Krmesky for discovery
of this vulnerability.
_________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAj9KsXkACgkQaqoBO7ipriGbmwCfU7hfWplzvTPh5CkZlGzFftuX
7vEAn1Jk461apUF4D8hRySc27/OBnkB4
=16QN
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists