[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    IBM Net.Data Local Path Disclosure Vulnerability?
From:       Chad Kalmes <chad.j.kalmes () US ! ARTHURANDERSEN ! COM>
Date:       2000-11-28 16:45:58
[Download RAW message or body]

Not sure if this is exactly a new issue or not, but 
IBM's Net.Data package (often used in conjuction 
with NetCommerce3 and db2www) will disclose the 
local path of server files if fed improper requests.  
This software is in use on a variety of sites, including 
several online-shopping locales.

Example (from IBM's own pages):

By issuing a /report request from the document.d2w 
file, the db2www package builds and displays the 
proper HTML page, as requested.

VALID CALL:
http://www-4.ibm.com/cgi-
bin/db2www/library/document.d2w/report?
uid=UNKNOWN&pwd=&search_type=SIMPLE&r_hos
t=&last_page=db2www0022.html&fn=db2www.html#
ToC

YIELDS:
Proper web page.

However, by issuing a bad /show request 
(or /garbarge, /whatever, etc.), the package outputs
an error message showing the local path to the d2w 
macro file, assuming no valid /show function exists 
within the .d2w file.

INVALID CALL:
http://www-4.ibm.com/cgi-
bin/db2www/library/document.d2w/show

YIELDS:
DTWP029E: Net.Data is unable to locate the HTML 
block SHOW in 
file /projects/www/netdata/macro/software/library/doc
ument.d2w.

While not a security problem per se, it still yields 
increased information about the local host system.  
This 'feature' or 'flaw' is present on both *NIX and 
WIN versions of the software (unsure about OS2) 
and every instance I've found on the Internet is 
subject to this disclosure.  Path disclosure 
vulnerabilities have been highlighted in other 
packages, so I figured I'd point this one out as well.

There may be a debugging switch or custom error 
message that could be turned on/off that would 
prevent the output of the Net.Data error to the end 
user, but I am somewhat unfamiliar with the specifics 
of the available software/server configuration.

IBM was contacted on 11/27 with an inquiry regarding 
any ways to prevent this but responded only with a 
form e-mail linking to a website which offered no 
support or further contact information without 
purchasing premium support.

ck

[prev in list] [next in list] [prev in thread] [next in thread]