lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 26 Mar 2009 21:03:59 -0400 From: Jeremy Brown <0xjbrown41@...il.com> To: Bugs NotHugs <bugsnothugs@...il.com>, full-disclosure@...ts.grok.org.uk Subject: Re: Novell Netstorage Multiple Vulnerabilities I like you name, hehe. On Thu, Mar 26, 2009 at 8:50 PM, Bugs NotHugs <bugsnothugs@...il.com> wrote: > - Novell Netstorage Multiple Vulnerabilities > > - Description > > "Novell NetStorage acts as a bridge between a company's protected Novell network > and the Internet, providing protected file access from any Internet > location. Files > and folders on a Novell NetWare® 6.5 server or Novell Open Enterprise > Server can be > accessed using either a browser or via Network Neighborhood and Microsoft Web > Folders; no Novell Client^Ù software is required. Users can securely > access files > from any IP-enabled machine via Secure Sockets Layer (SSL) and Secure Hypertext > Transfer Protocol (HTTPS)." > > Novell NetStorage contains a wide variety of vulnerabilities that may > allow an attacker > to cause a denial of service, gain configuration information or exploit other > users of the application. > > #1 - Filter Field XSS > > The 'filter' field does not sanitize user-supplied input. An attacker > could use this > to carry out cross-site scripting attacks against other authenticated users. > > ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--> > </SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> > > #2 - Mail File Action Path Disclosure > > On a file list, if a user right clicks a file, chooses the 'mail' > option and then > pastes script code in any field, the application will produce an error message > disclosing the installation path: > > Paste the following script: > > ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//-->< > /SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> > > Resulting error: > > OES: > 'file:/var/opt/novell/novlwww/email.xsl': (1): mismatched end tag: > expected "to" but got "SCRIPT" > > Netware: > 'file:/SYS:/tomcat/4/email.xsl': (1): mismatched end tag: expected > "subject" but got "SCRIPT" > > #3 - File Attribute Malformed Input Server DoS > > When interacting with files, a user can right click on the file and click > either 'NFS Info' or 'Netware Info'. Supplying script code into various fields > will cause the Netware server to abend and lock up. > > Note: This was only tested on version 2.0.1 on netware 6.5 SP6, not OES. > > The following script code causes the issue: > > ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//-->< > /SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> > > - Product > > Novell Inc., Netstorage, 3.1.5-19 on OES - 2.0.1 on netware 6.5 SP6 > > - Solution > > None > > - Timeline > > 2008-06-06: Vulnerability Discovered > 2008-07-07: Disclosed to Vendor (no ack) > 2008-10-05: Re-sent to Vendor (no ack) > 2009-03-26: Disclosed to Public (no more playing nice) > > -- > > BugsNotHugs > Shared Vulnerability Disclosure Account > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists