Novell GroupWise WebAccess prior 6.5.3 error weak authentication 1.0
 
Plugin ID345
Plugin nameNovell GroupWise WebAccess prior 6.5.3 error weak authentication
Plugin filenameNovell GroupWise WebAccess prior 6.5.3 error weak authentication.plugin
Plugin filesize3597 bytes
Plugin familyCGI
Plugin created nameMarc Ruef
Plugin created emailmarc.ruef at computec.ch
Plugin created webhttp://www.computec.ch
Plugin created companycomputec.ch
Plugin created date2004/12/09
Plugin version1.0
Plugin protocoltcp
Plugin port80
Plugin procedure exploitopen|send GET /servlet/webacc?error=webacc HTTP/1.0\n\n|close|pattern_exists HTTP/#.# ### *<title>Novell WebAccess()</title>*
Plugin exploit accuracy98
Plugin commentThis plugin was written with the ATK Attack Editor.
Bug published nameMarc Ruef
Bug published emailmarc.ruef at computec.ch
Bug published webhttp://www.computec.ch
Bug published companycomputec.ch
Bug published date2004/12/09
Bug produced nameNovell
Bug produced emailinfo at novell.com
Bug produced webhttp://www.novell.com
Bug affectedNovell GroupWise WebAccess prior 6.5.3
Bug not affectedNovell GroupWise WebAccess newer than 6.5.3 or other products
Bug vulnerability classWeak Authentication
Bug false positivesThese depends how Novell will fix this flaw.
Bug descriptionIt is possible to circumvent the login procedure. If a user connects to the WebAccess he is able to authenticate with his user name and password. If a wrong input is made, the webacc application is loading the error page. It is possible to specify another error document with the $QUERY_STRING variant error. If this reference is done for the webacc itself, the login is circumvented. You are always logged in with a "ghost user" without a profile. It seems not to be possible to load and store data or to use other services (e.g. address book or sending email). It is also possible to reach specific template files with specification of their names. Reaching other files than with the extension .htt or files outside the webserver root directory seems not possible. An attacker may use this vulnerability to exploit a bug that is only exploitable by authenticated users.
Bug solutionThe flaws may be patched with an upcoming bugfix or a new software release. As a workaround you should deny untrusted incoming connections to your WebAccess thru firewalling.
Bug fixing timeApprox. 30 minutes
Bug exploit availabilityYes
Bug exploit urlhttps://www.computec.ch/servlet/webacc?error=webacc
Bug remoteYes
Bug localYes
Bug severityHigh
Bug popularity6
Bug simplicity8
Bug impact8
Bug risk7
Source scipID1020
Source LiteratureHacking Intern - Angriffe, Strategien, Abwehr, Marc Ruef, Marko Rogge, Uwe Velten and Wolfram Gieseke, November 1, 2002, Data Becker, Düsseldorf, ISBN 381582284X
Source Misc.http://developer.novell.com/ndk/doc/gwwbacc/index.html?page=/ndk/doc/gwwbacc/gwwebacc/data/a6l4t54.html

This file was generated by the Attack Tool Kit (ATK), the open-sourced security scanner and exploiting framework.