Reported October 16, 2001, by Mike Shema.

VERSION AFFECTED

  • Novell GroupWise 5.5, 6.0 for Windows 2000

 

DESCRIPTION
A vulnerability exists in Novell’s GroupWise server that lets an attacker view files located anywhere on the server. The servlet “webacc” located in /servlet/ typically accesses templates located in webroot. However, if an attacker knows the filename and location and appends the file with a null character, the servlet also permits full directory-path traversal.

 

DEMONSTRATION

Mike Shema provided the following scenario as proof-of-concept. By typing the following into the address window of an Internet browser, a user can display the contents of boot.ini.

 

http://server:port/servlet/webacc?User.html=../../../../../../../../boot.ini%00

 

VENDOR RESPONSE

The vendor, Novell, recommends that users obtain a fix available through regular support channels.

 

CREDIT
Discovered by Mike Shema of Foundstone.