Plugin ID | 345 |
Plugin name | Novell GroupWise WebAccess prior 6.5.3 error weak authentication |
Plugin filename | Novell GroupWise WebAccess prior 6.5.3 error weak authentication.plugin |
Plugin filesize | 3597 bytes |
Plugin family | CGI |
Plugin created name | Marc Ruef |
Plugin created email | marc.ruef at computec.ch |
Plugin created web | http://www.computec.ch |
Plugin created company | computec.ch |
Plugin created date | 2004/12/09 |
Plugin version | 1.0 |
Plugin protocol | tcp |
Plugin port | 80 |
Plugin procedure exploit | open|send GET /servlet/webacc?error=webacc HTTP/1.0\n\n|close|pattern_exists HTTP/#.# ### *<title>Novell WebAccess()</title>* |
Plugin exploit accuracy | 98 |
Plugin comment | This plugin was written with the ATK Attack Editor. |
Bug published name | Marc Ruef |
Bug published email | marc.ruef at computec.ch |
Bug published web | http://www.computec.ch |
Bug published company | computec.ch |
Bug published date | 2004/12/09 |
Bug produced name | Novell |
Bug produced email | info at novell.com |
Bug produced web | http://www.novell.com |
Bug affected | Novell GroupWise WebAccess prior 6.5.3 |
Bug not affected | Novell GroupWise WebAccess newer than 6.5.3 or other products |
Bug vulnerability class | Weak Authentication |
Bug false positives | These depends how Novell will fix this flaw. |
Bug description | It is possible to circumvent the login procedure. If a user connects to the WebAccess he is able to authenticate with his user name and password. If a wrong input is made, the webacc application is loading the error page. It is possible to specify another error document with the $QUERY_STRING variant error. If this reference is done for the webacc itself, the login is circumvented. You are always logged in with a "ghost user" without a profile. It seems not to be possible to load and store data or to use other services (e.g. address book or sending email). It is also possible to reach specific template files with specification of their names. Reaching other files than with the extension .htt or files outside the webserver root directory seems not possible. An attacker may use this vulnerability to exploit a bug that is only exploitable by authenticated users. |
Bug solution | The flaws may be patched with an upcoming bugfix or a new software release. As a workaround you should deny untrusted incoming connections to your WebAccess thru firewalling. |
Bug fixing time | Approx. 30 minutes |
Bug exploit availability | Yes |
Bug exploit url | https://www.computec.ch/servlet/webacc?error=webacc |
Bug remote | Yes |
Bug local | Yes |
Bug severity | High |
Bug popularity | 6 |
Bug simplicity | 8 |
Bug impact | 8 |
Bug risk | 7 |
Source scipID | 1020 |
Source Literature | Hacking Intern - Angriffe, Strategien, Abwehr, Marc Ruef, Marko Rogge, Uwe Velten and Wolfram Gieseke, November 1, 2002, Data Becker, Düsseldorf, ISBN 381582284X |
Source Misc. | http://developer.novell.com/ndk/doc/gwwbacc/index.html?page=/ndk/doc/gwwbacc/gwwebacc/data/a6l4t54.html |