|
| From: | NOVELL | | Date: | 20.08.2002 | | Subject: | NOVL-2002-2963297 - NetBasic Buffer Overflow + Scripting Vulnerability |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
For Immediate Disclosure
============================== Summary ==============================
Security Alert: NOVL-2002-2963297
Title: NetBasic Buffer Overflow + Scripting Vulnerability
Date: 20-Aug-2002
Revision: Original Security Alert
Product Name: NetBasic Scripting Handler (NSN)
OS/Platform(s): Netware 5.1, 6, Novell Small Business Suite 5.1,
Novell Small Business Suite 6
Reference URL: http://support.novell.com/servlet/tidfinder/2963297
Vendor Name: Novell, Inc.
Vendor URL: http://www.novell.com
Security Alerts: http://support.novell.com/security-alerts
Affects: Various on the SYS: volume.
Identifiers: None
Credits: Rain Forrest Puppy <rfp@wiretrip.net>
============================ Description ============================
This patch takes care of the following security vulnerabilities with
NetBasic Scripting Server (NSN):
1. Unauthorized Access to system resources.
2. %5c can be used to escape to higher level directories
3. NSN buffer over flow problem
============================== Impact ===============================
Unauthorized Access to system resources, specifically:
%5c can be used to escape to higher level directories
When NetBasic scripting server (NSN) is mapped as a handler, like
http://servername.whatever.com/nsn/whatever, then, although access
cannot be granted to files by entering .../nsn/../dir/script, nor
...nsn/..\dir/script, it is possible to get there via
...nsn/..%5dir/script.
The %5 gets mapped to the directory separator, though Netware
prevents "/" or "\" from being used.
NSN buffer over flow problem
Similar to ndsobj.nlm, the Netbasic interpreter has a buffer overflow
in the handling of long module names. Submitting a module name of of
230 bytes results in an ABEND:
<http://host/nsn/AAA...230> total...AAA
======================== Recommended Actions ========================
Note: The patch file is currently available as a BETA patch, which
means a user registration (no fee) is required to download the file.
This patch when extracted creates NSCRIPT.ZIP.
Unzip the contents of this ZIP file to SYS: volume of your server,
then restart the server.
See detailed instructions in the referenced Technical Information
Document (TID) http://support.novell.com/servlet/tidfinder/2963297.
============================ DISCLAIMER =============================
The content of this document is believed to be accurate at the time
of publishing based on currently available information. However, the
information is provided "AS IS" without any warranty or
representation. Your use of the document constitutes acceptance of
this disclaimer. Novell disclaims all warranties, express or implied,
regarding this document, including the warranties of merchantability
and fitness for a particular purpose. Novell is not liable for any
direct, indirect, or consequential loss or damage arising from use
of, or reliance on, this document or any security alert, even if
Novell has been advised of the possibility of such damages and even
if such damages are foreseeable.
============================ Appendices =============================
None
================ Contacting Novell Security Alerts ==================
To report suspected security vulnerabilities in Novell products, send
email to
secure@novell.com
PGP users may send signed/encrypted information to us using our PGP
key, available from the pgpkeys.mit.edu server, or our website at:
http://support.novell.com/security-alerts
Security Alerts, Novell, Inc. PGP Key Fingerprint:
F5AE 9265 0A34 F84E 580E 9B87 3AC1 1974 DE05 0FDB
========================= Revision History ==========================
Original: 13-Aug-2002 - Original TID Publication
Revised: 16-Aug-2002
Security Alert: 20-Aug-2002
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Security 7.0.3
iQA/AwUBPWJnSjrBGXTeBQ/bEQLp0gCg2RkGyjd744Lkh9khUIvYIkEJ2kIAoJFl
lEhe+69jnII7PqZeY++uLacy
=Bw26
-----END PGP SIGNATURE-----
|
