Great Circle Associates Firewalls
(July 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: *** SECURI
From: /DDV=firewalls-owner @ GreatCircle . COM/DDT=rfc-822/OU=INET00/P=STATEFARM/A=IBMX400/C=US/
Date: Wed, 31 Jul 1996 16:13:00 -0500
To: firewalls @ GreatCircle . COM
X400-mts-identifier: [ /P=STATEFARM/A=IBMX400/C=US/ ; stfmx400.... 0YzF5K00007I4 ] 
          SENT BY BECK KENT                  00C GJEW  EMC2           1984
Date: Wednesday, 31 July 1996 4:14pm CT
To: John.TRAENKENSCHUH
Cc: Aaron.BENSON, John.PUGH, EXTERNAL.EMAIL
From: Kent.BECK
Subject: *** SECURITY ALERT ***

/eternal
/to bob_pugh @
 novell .
 com
/end

No John, we are not using Novell HTTP servers.
--------------------------( Forwarded letter 1 follows )---------------------
Date: Monday, 8 July 1996 7:30am CT
To: Kent.BECK
From: John.TRAENKENSCHUH
Subject: *** SECURITY ALERT ***

We're not using Novell HTTP servers, right?
--------------------------( Forwarded letter 2 follows )---------------------
Date: Wednesday, 3 July 1996  4:50pm                            HPDesk
To: External.EMAIL
From: EXTERNAL.EMAIL
Subject: *** SECURITY ALERT ***

You are a BCC recipient of this message

******************************************************************************
******************************************************************************

Part 3.


Precedence: bulk

I spent some time exploring Novell's HTTP server and out of the box
there is a CGI that is VERY VERY INSECURE!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
If you are running the Novell HTTP server, please disable the CGI's
it comes with it until you understand (fully understand) what the
security risks are.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

The CGI in question is convert.bas (yes, cgi's in basic, stop laughing).
(There may be more CGI's in the scripts dir that can be exploited
but this was all I could stomoch.)

A remote user can read any file on the remote file system using
this CGI.  This means that if you are running the Novell HTTP
server and have the 'out of box' CGI's, you are breached.
Exploit code:
http://victim.com/scripts/convert.bas?../../anything/you/want/to/view

I was going to see how bad this threat was by connecting to
www servers, testing for "Novell HTTP" in the HTTP server responce
BUT WHY DO THAT WHEN YOU HAVE www.altavista.digital.com :-)
+links:scripts/convert.bas
will return you all the sites that can be breached.

PLEASE PLEASE PLEASE don't open the box and put machine on the
Internet.  I am getting tired of this kind of stuff.
Who the hell did Novell consult with to write these darn CGI's?
It makes me sad.

--blast
Indexed By Date Previous: Re: How secure is xinetd's binding to specific interfaces
From: lists @ lina . inka . de (Bernd Eckenfels)
Next: (no subject)
From: Carlos <cvasco @ telconet . net>
Indexed By Thread Previous: RE: Firewall Protecting NT/NetWare?
From: Russ <Russ . Cooper @ RC . Toronto . on . ca>
Next: (no subject)
From: Carlos <cvasco @ telconet . net>
Google
 
Search Internet Search www.greatcircle.com