• Home
• About us
  • Our company
  • Careers
  • Contact us
  • Legal and privacy
• Security management
  • Information Security Healthcheck
  • Risk Assessment
  • Security Documentation Sets
• PCI compliance
  • PCI DSS Compliance
  • PCI - PA DSS compliance
  • PCI - Qualified Forensic Investigator
  • ASV Scans
  • OmniPORT
• Application security
  • Application Security Test
  • Application Architecture Assessment
  • Security Code Review
  • Product Security Review
  • Secure Development Training
• Infrastructure security
  • Penetration Testing
  • Managed Vulnerability Scanning
  • Infrastructure Assessment
  • Security Design Review
• Incident response
  • Digital Forensics
  • Incident Response
  • NetFACTS
• Newsroom
  • Press Releases

• Text size
• A
• A
• A

How can IRM help us?

• Make our business PCI compliant

  How can IRM help us make our business PCI compliant?

  As one of the leading independent providers of information security consultancy and security testing services, IRM's PCI DSS services have helped several businesses with their compliance roadmap.

  Like to know more?

  Use the links below to view more information about the services discussed above.

  • OmniPORT
  • ASV Scans
  • Penetration Testing
  • PCI DSS Compliance
• Write code securely

  How can IRM help us to write code securely?

  How secure your code is depends on how security aware your development team is. IRM’s Secure Development Training exposes your developers to common application layer vulnerabilities and explains how they manifest in various development platforms.

  Combine this with an ongoing code review process and it will highlight areas for improvement that can be fed back into the development cycle.

  Like to know more?

  Use the links below to view more information about the services discussed above.

  • Secure Development Training
  • Security Code Review
• Assess the security of our new e-commerce platform

  How can IRM help us assess the security of our new e-commerce platform?

  Assessing the security of your business application depends on its development phase. The design should be reviewed early on in the project to ensure critical security requirements will be fulfilled and to weed out any glaring issues that could slip into production.

  At development time, proactive identification of vulnerabilities via code review will cut costs associated with fixing defects in production. Finally, testing before going live is indispensable in ensuring the application provides a safe and secure environment for your customers and your business.

  Like to know more?

  Use the links below to view more information about the services discussed above.

  • Application Architecture Assessment
  • Security Code Review
  • Application Security Test
• Identify security bugs in our new product

  How can IRM help us Identify security bugs in our new product?

  IRM’s Product Security Review service exposes your product to all the necessary and rigorous processes you need to ship a secure release.

  Like to know more?

  Use the links below to view more information about the service discussed above.

  • Product Security Review
• Review the security of our new infrastructure project

  How can IRM help us review the security of our new infrastructure project?

  IRM’s infrastructure security services can assist you in reviewing the design and configuration followed by penetration testing of your business critical systems to ensure they are secure and sufficiently hardened.

  Like to know more?

  Use the links below to view more information about the services discussed above.

  • Security Design Review
  • Infrastructure Assessment
  • Penetration Testing
• Implement a security management process

  How can IRM help us implement a security management process?

  From assessing the effectiveness of your information security processes to carrying out risk assessments of mature business environments, IRM consultants are equipped with the right tools and experience to generate a holistic view of the state of security in your organisation.

  Like to know more?

  Use the links below to view more information about the services discussed above.

  • Information Security Health Check
  • Risk Assessment
• Confirm our security policy is being enforced

  How can IRM help us confirm our security policy is being enforced?

  IRM’s NetFACTS offering is a highly customizable service that reviews your fair use policies and translates them into software rules against which all network traffic is matched to identify deviations and policy violations.

  Like to know more?

  Use the links below to view more information about the service discussed above.

  • NetFACTS
• Manage a security breach

  How can IRM help us manage a security breach?

  The key to managing a security incident is timely identification and response. IRM’s Incident Response service coupled with our Digital Forensics capabilities has helped organisations detect, contain and eradicate incident sources for mission critical systems especially systems surrounding payment card data.

  Once eradication is completed, our NetFACTS probes can be customized and deployed during the recovery and follow up phases to monitor and detect potential remnants of the incident.

  Like to know more?

  Use the links below to view more information about the services discussed above.

  • Incident Response
  • Digital Forensics
  • NetFACTS

Upcoming Events

Netware Web Server 5.1 Sample Page Source Disclosure

Netware Web Server 5.1 Sample Page Source Disclosure

Vulnerablity Type / Importance: Information Leak / High

Problem discovered: November 18th 2001
Vendor contacted: November 20th 2001, November 29th 2001
Advisory published: December 11th 2001

Abstract:
Novell's Netware 5.1 is shipped with a Web Server that is installed by default and contains various sample web pages. There is a "viewcode" application that is run through a Netware Loadable Module (NLM), which allows the source code of a default web page to be viewed. However, the NLM has the sample page name passed to it through a URL containing the path to the file. It is possible to alter the URL to permit the contents of any file on the system to be viewed even those situated outside the web root. Using this method it is possible to view important configuration files including the autoexec.ncf file which contains the remote console password.

Description:
Netware is an Operating System developed by Novell (http://www.novell.com) and is used by many organisations for user file and print sharing. Version 5.1 of the Netware Operating system comes with a web server that will be installed by default. Included on the web server are a wide variety of sample pages that demonstrate the flexibility and features of the product. However, one sample page uses a Netware Loadable Module (NLM) called sewse.nlm to call a script called viewcode.jse. The viewcode.jse file is designed to be used to display the source code of sample files called httplist.htm and httplist.jse. These file names are passed as parameters to the NLM through a URL such as (URL may wrap):
http://10.0.25.5/lcgi/sewse.nlm?sys:/novonyx/suitespot/docs/sewse/viewcode.jse+httplist/httplist.htm+httplist/httplist.jse
The application checks the files being requested by requiring that the httplist directory is specified in the path to the files to be viewed. However, it is possible to traverse directories using /../ after httplist. The sewse.nlm module runs with sufficient permissions whereby it possible to traverse to any file on the file system and view the contents.
There are many files that may be of interest to an attacker and these include: SYS:ETCNETINFO.CFG - Can contain a copy of the rconsole password
SYS:SYSTEMAUTOEXEC.NCF - Contains the rconsole password
SYS:ETCFTPAUDIT.LOG - Contains valid usernames for password guessing attempts

An attacker could use the information gained to lauch further attacks or to gain console access using the rconsole password. An example of the URL used to view the autoexec.ncf is (URL may wrap):
http://10.0.25.5/lcgi/sewse.nlm?sys:/novonyx/suitespot/docs/sewse/viewcode.jse+httplist+httplist/../../../../../system/autoexec.ncf

There are Novell best practices which include encrypting the rconsole password in the autoexec.ncf file. However, there are tools available which can be used to break this encryption. Another Novell recommendation is to use a Console Screensaver which requires the admin password to be entered after a rconsole connection has been made. This issue is similar to the problem discovered with the convert.bas script that shipped with Netware Web Server version 2.0. This previous issue is recorded as Bugtraq ID 2025 and CVE-1999-0175.

Tested Versions:
Netware Web Server 5.1
(The authors were not able to obtain any previous versions, but understand these would be equally effected).

Tested Operating Systems:
Netware Operating System version 5.1

Vendor & Patch Information:
The vendor of this product, Novell, was contacted via email using the address listed as their 'community relations' on 20th November 2001. When no reply was received to this email after nine days, another email was sent on 29th November 2001 to the same address, and copied to 'secure@novell.com'. No reply from either address had been received as of December 11th 2001, and therefore the vulnerability is being released to Bugtraq.

Workarounds:
A workaround involves removing all sample web pages and sample NLMs.

Credits:
Research & Advisory: M Ruks
Thanks: B-r00t, Macavity, morphsta, Blunt, Ant, Shlug, indig0

Disclaimer:
All information in this advisory is provided on an 'as is' basis in the hope that it will be useful. Information Risk Management Plc is not responsible for any risks or occurrences caused by the application of this information.

© 2012 Information Risk Management Plc | Cheltenham House | Clarence Street | Cheltenham GL50 3JR | UK Tel +44 (0)1242 225 200 | Fax +44 (0)1242 225 215 | info@irmplc.com