Full Disclosure: Novell GroupWise WebAccess error modules loading

["Marc Ruef" <maru () scip ch>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear ladies and gentlemen

We have found a potential security vulnerability in the Novell GroupWise WebAccess error module handling. First of all 
it is possible to circumvent the login procedure. If a user connects to https://www.scip.com:1444/servlet/webacc (this 
is just an example with our domain) he is able to authenticate with his user name and password. If a wrong input is 
made, the webacc application is loading the error page. It is possible to specify another error document with the 
$QUERY_STRING variant error. If this reference is done for the webacc itself - the url 
https://www.scip.com:1444/servlet/webacc?error=webacc would be required -, the login is circumvented. You are always 
logged in with a "ghost user" without a profile. It seems not to be possible to load and store data or to use other 
services (e.g. address book or sending email). It is also possible to reach specific template files with specification 
of their names (e.g. https://www.scip.com:1444/servlet/webacc?error=send for sendi!
 ng emails). Reaching other files than with the extension .htt or files outside the webserver root directory seems not 
possible. An attacker may use this vulnerability to exploit a bug that is only exploitable by authenticated users. More 
details on how this htt framework should be used can be found at 
http://developer.novell.com/ndk/doc/gwwbacc/index.html?page=/ndk/doc/gwwbacc/gwwebacc/data/a6l4t54.html - You find the 
original advisory, written in german, on http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=1020 (Novell GroupWise 
WebAccess error Authentisierung umgehen).

The second flaw depends on the first one. You are able to specify a (wrong) user name in the login screen. Afterwards 
you circumvent the authentication as described before. If you are opening the about screen (e.g. 
https://www.scip.com:1444/servlet/webacc?error=about or by clicking on the WebAccess logo on the top) in the Program 
Release line you see the version data of the GroupWise installation. The user name that has been specified in your last 
login procedure is printed on the Userid line. It may be possible to do html injection in this case. For example if the 
user name "<a href=http://www.scip.ch>www.scip.ch</a>" has been used, this html link will be printed. The injection of 
scripts seems not to be possible because the required tags <script> and </script> are filtered/replaced. This 
vulnerability may be useful to gain the version data of the installation and it may be possible to realize a social 
engineering or html injection attack (e.g. loading a corrupt JPEG file t!
 o exploit the Windows buffer overflow). You find the original advisory, written in german, on 
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=1021 (Novell GroupWise WebAccess error about erweiterte Rechte).

We have not found any information on that issue. So I sent this information (nearly the same posting) on 14/12/04 to 
info () novell com and asked for a solution. As I haven't heard _anything_ until 23/12/04 I sent a reminder email to 
the same address. So no reply came back we made this vulnerability public finally to force Novell to react on this 
case. An Attack Tool Kit (ATK) plugin that addresses this vulnerability will be published in the next days[1].

Regards,

Marc Ruef

[1] http://www.computec.ch/projekte/atk/

- -- 
) scip AG (
Technoparkstr. 1
8005 Zürich
T +41 1 445 18 18 
F +41 1 445 18 19

maru () scip ch
www.scip.ch

- - Aktuellste IT-Sicherheitsluecken -

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
Comment: http://www.scip.ch

iQA/AwUBQevrDBe5hzJzqVMhEQJrtQCg041eH6NVBOQ+GPS5QudSw2ARKAAAni/P
tTao1cSGtOUvnKKsqqH5/0Gs
=A+fy
-----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html