mailing list archives
IBM Net.Data Local Path Disclosure Vulnerability?
From: Chad Kalmes <chad.j.kalmes () US ARTHURANDERSEN COM>
Date: Tue, 28 Nov 2000 16:45:58 -0000
Not sure if this is exactly a new issue or not, but
IBM's Net.Data package (often used in conjuction
with NetCommerce3 and db2www) will disclose the
local path of server files if fed improper requests.
This software is in use on a variety of sites, including
several online-shopping locales.
Example (from IBM's own pages):
By issuing a /report request from the document.d2w
file, the db2www package builds and displays the
proper HTML page, as requested.
Proper web page.
However, by issuing a bad /show request
(or /garbarge, /whatever, etc.), the package outputs
an error message showing the local path to the d2w
macro file, assuming no valid /show function exists
within the .d2w file.
DTWP029E: Net.Data is unable to locate the HTML
block SHOW in
While not a security problem per se, it still yields
increased information about the local host system.
This 'feature' or 'flaw' is present on both *NIX and
WIN versions of the software (unsure about OS2)
and every instance I've found on the Internet is
subject to this disclosure. Path disclosure
vulnerabilities have been highlighted in other
packages, so I figured I'd point this one out as well.
There may be a debugging switch or custom error
message that could be turned on/off that would
prevent the output of the Net.Data error to the end
user, but I am somewhat unfamiliar with the specifics
of the available software/server configuration.
IBM was contacted on 11/27 with an inquiry regarding
any ways to prevent this but responded only with a
form e-mail linking to a website which offered no
support or further contact information without
purchasing premium support.
- IBM Net.Data Local Path Disclosure Vulnerability? Chad Kalmes (Nov 29)