_______________________________________________________________________________ I N F O R M A T I O N A N A R C H Y 2 K 0 1 www.nmrc.org/InfoAnarchy Nomad Mobile Research Centre A D V I S O R Y www.nmrc.org Cyberiad [cyberiad@nmrc.org] 10May2002 _______________________________________________________________________________ Platforms : Solaris 2.8 Application: Critical Path inJoin V4.0 Directory Server Severity : Medium Synopsis -------- This advisory documents a web traversal vulnerability in the Web-based administrator interface, named iCon, of the inJoin Directory Server that allows an attacker with the correct username and password to read any file accessible to the ids user. Details ------- The administrative web server, iCon, listens on TCP port 1500 and runs under the ids account. By connecting to this port using a web browser and entering a correct administrator username and password, an operator can remotely administer the Directory Server and view log entries. The URL used to view log entries is of the form. http://ip:1500/CONF&LOG=iCon.err&NOIH=no&FRAMES=y The value of the file= parameter refers to a file named iCon.err. Unfortunately, no checks are performed on the location of this value. Therefore, an authenticated user can replace the file= parameter with the absolute path to a filename and read the contents. For example, the following request returns the /etc/passwd file, http://ip:1500/CONF&LOG=/etc/passwd&NOIH=no&FRAMES=y Only those files that can be read by the ids account are accessible. For example, by default, /etc/shadow cannot be retrieved. Testing confirmed that the attack is not successful without the correct administrator username and password. Tested configurations --------------------- Testing was performed with the following configurations: Critical Path inJoin V4.0 Directory Server Solaris 2.8 Vendor Response --------------- Critical Path Inc: Critical Path was contacted on April 30, 2002 and has implemented preventative fixes for this issue. A maintenance release to be known as iCon 4.1.4.7 will be posted on the Critical Path support website at http://support.cp.net, which is available to supported customers. This will be within the next few weeks, dependent upon other fixes that need to be made available in this maintenance release. Solution/Workaround ------------------- Filter TCP port 1500 at the border to prohibit public access to the Directory Server's administrative interface. Use a strong password on the Directory Server administrator account and change regularly. Distribute the password to only Directory Server administrators. Modify permissions on sensitive files to prohibit access by the ids user. Though administration of the Directory Server over SSL is currently not supported, Ciritical Path recommends the use of VPN software to mitigate the risk of disclosure of the administrator username and password. The next major release of the Critical Path Directory Server will features SSL-enablement of the web-based management interface. Comments -------- This advisory has been released under Information Anarchy - http://www.nmrc.org/InfoAnarchy/ Copyright --------- This advisory is Copyright (c) 2002 NMRC - feel free to distribute it without edits but fear us if you use this advisory in any type of commercial endeavour. _______________________________________________________________________________