[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : UnixWare 7 scohelphttp exposes local files

Title: UnixWare 7 scohelphttp exposes local files
Released by: Defcom Labs
Date: 11th September 2000
Printable version: Click here
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



======================================================================

                  Defcom Labs Advisory def-2000-01



             UnixWare 7 scohelphttp exposes local files



Author: Olle Segerdahl 

Release Date: 2000-09-11

======================================================================

- ------------------------=[Brief Description]=-------------------------

The search function "/search97cgi/vtopic" used by the UnixWare 7

"scohelphttp" webserver (tcp port 457) contains a bug that lets anyone

with access to scohelphttp view any world-readable file on the host.



- ------------------------=[Affected Systems]=--------------------------

SCO UnixWare 7 with "scohelphttp" enabled (default install)

Possibly other applications using the same, or similar, search97 code.



- ----------------------=[Detailed Description]=------------------------

The view function of the searcg97cgi/vtopic cgi has a parameter called

ViewTemplate that specifies an HTML template file for search results.

(http://unixware7box:457/search97cgi/vtopic?action=view&ViewTemplate=)



The contents of this variable is not checked for "/../" paths, thus

enabling anyone to view any file readable to the webserver process.

The webserver runs as user "nobody" by default, limiting the accesible

files to files that are "world readable" (/etc/passwd not /etc/shadow).



- ---------------------------=[Workaround]=-----------------------------

Run the following commands (as root):



/usr/ns-home/httpd-scohelphttp/stop

/usr/ns-home/httpd-scohelphttp/disable



To stop and disable the scohelphttp webserver. Await fix from SCO.



- -------------------------=[Vendor Response]=--------------------------

This issue was brought to SCO's attention on the 18th of July and was

assigned the ID SCO-375377.



I have, at the time of this release, not yet been informed by SCO of

any adequate fix for this problem, either existing or forthcoming.



Their initial response to my report was (verbatim):

"The search function you refer to is part of the documentation search

facility on a UnixWare 7 system that has scohelphttp(X1M), the man and

scohelp document server, configured and enabled.

Disabling scohelphttp(X1M) will remove the ability to access man pages

and the schelp online help facility on the system. I do consider this

to be a bug in scohelphttp(X1M) and I have raised this issue with out

Engineering group to see if there is a workaround to the problem.

If there is no workaround, I will escalate the issue to be fixed."



On the 31st July I was proposed a fix involving substituting the vtopic

cgi with a shell script wrapper that checked for a dot or a slash

(using "if echo $QUERY_STRING | egrep '(Template=\.|Template=/)'" )

in the first character of the ViewTemplate variable and then ran the

original (unfixed) vtopic cgi.



My reply was that this fix was not only inadequate, I also considered

it to be worse than the original, introducing new problems with shell

meta characters in $QUERY_STRING.



The last communication I recieved from SCO was on August the 8th :

"The search97cgi binary is the problem and I have conveyed a message to

the engineers responsible that the workaround is not acceptable.

As soon as I have any further news of a solution I will let you know."



======================================================================

  This release was brought to you by Defcom Labs of Defcom Security



          labs@defcom-sec.com             www.defcom-sec.com

======================================================================





-----BEGIN PGP SIGNATURE-----

Version: PGP 6.5.3



iQA/AwUBObx6KirHKk9f1Vz/EQIJhgCfV8LpVHwASzToX3zYiexMoMIsI0IAoLoT

RcCv5O1XIz7g/yW2VGgU41Ec

=20zn

-----END PGP SIGNATURE-----








(C) 1999-2000 All rights reserved.