Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


[ISN] Novell Patches Security Hole In GroupWise Server
.

  • To: [EMAIL PROTECTED]
  • Subject: [ISN] Novell Patches Security Hole In GroupWise Server
  • From: InfoSec News <[EMAIL PROTECTED]>
  • Date: Wed, 17 Oct 2001 04:42:45 -0500 (CDT)
.
 
http://www.newsbytes.com/news/01/171160.html

By Steven Bonisteel, Newsbytes
PROVO, UTAH, U.S.A.,
16 Oct 2001, 7:45 AM CST
 
Novell Inc. [NASDAQ:NOVL] is urging users of its GroupWise software
for messaging and collaboration to patch a security hole that could
allow an intruder to view any file on a GroupWise server via the
application's Web interface.

The problem is found in the WebAccess system of the GroupWise 5.5
Enhancement Pack and in the most-recent GroupWise 6 release, Novell
said.
 
However, since GroupWise, like the competing Microsoft Exchange
server, is most often found behind the firewalls of corporate
intranets, those who might exploit the security hole are most likely
to come from a company's own disgruntled ranks.

Discovered by Irvine, Calif., security company Foundstone, the
GroupWise vulnerability is found in its script-driven interface for
user access to e-mail and communal collaboration tools.

Foundstone first discovered that supplying an invalid command to the
GroupWise program Novell calls "webacc" will cause the server to
reveal the full path to the directory in which the GroupWise system is
installed.

In addition, an unauthorized individual can view files anywhere on the
server by passing to webacc a relative path to target file and the
file name, followed by a specially encoded null character.

In an advisory on its GroupWise support site, Novell pointed out that
an attacker would have to know the exact location and name of the file
he or she wanted to view.

However, Foundstone suggested that the system's willingness to divulge
its own installation directories would make it easier for a savvy
hacker to find the GroupWise configuration files as well as any
well-known system files that may be installed on the same logical
drive.

Novell has additional information and a patch for the problem online
here: http://www.novell.com/products/groupwise

Foundstone can be found here: http://www.foundstone.com



-
ISN is currently hosted by Attrition.org

To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY
of the mail.
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.